Azure
/
Enterprise-Scale
зеркало из https://github.com/Azure/Enterprise-Scale.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merging policy-refresh branch into main (#1276) 

Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
Co-authored-by: Robert Lightner <49571483+DaFitRobsta@users.noreply.github.com>
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: JamJarchitect <53943045+JamJarchitect@users.noreply.github.com>
Co-authored-by: Anthony Watherston <anwather@microsoft.com>
Co-authored-by: Jack Tracey <jack@jacktracey.co.uk>
Co-authored-by: Panagiotis Korologos <60117125+pkorolo@users.noreply.github.com>
Co-authored-by: Matthew Bratschun <25390936+mbrat2005@users.noreply.github.com>
Co-authored-by: Predrag Jelesijevic <5805065+prjelesi@users.noreply.github.com>
Co-authored-by: quoteee <45695032+JulianHayward@users.noreply.github.com>
Co-authored-by: René Hézser <rene@hezser.de>
Co-authored-by: Arunraj Selvaraj <68339349+aarunraaj@users.noreply.github.com>
This commit is contained in:
Sacha Narinx 2023-04-06 19:23:13 +04:00 коммит произвёл GitHub
Родитель 80c8305f10
Коммит 94531c16a5
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
62 изменённых файлов: 5469 добавлений и 1560 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

1
.github/workflows/code-review.yml поставляемый
Просмотреть файл

@ -10,6 +10,7 @@ on:
pull_request:
branches:
- main
- policy-refresh
workflow_dispatch: {}
###############

52
docs/reference/treyresearch/armTemplates/auxiliary/policies.json
Просмотреть файл

@ -14665,8 +14665,8 @@
},
{
"properties": {
"description": "Deploys the diagnostic settings for WVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.",
"displayName": "Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace",
"description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.",
"displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace",
"mode": "Indexed",
"parameters": {
"logAnalytics": {
@ -14831,8 +14831,8 @@
},
{
"properties": {
"description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.",
"displayName": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace",
"description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.",
"displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace",
"mode": "Indexed",
"parameters": {
"logAnalytics": {
@ -14989,8 +14989,8 @@
},
{
"properties": {
"description": "Deploys the diagnostic settings for WVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.",
"displayName": "Deploy Diagnostic Settings for WVD Application group to Log Analytics workspace",
"description": "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all and categorys enabled.",
"displayName": "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace",
"mode": "Indexed",
"parameters": {
"logAnalytics": {
@ -18827,8 +18827,8 @@
"Disabled"
],
"metadata": {
"displayName": "Deploy Diagnostic Settings for WVD Application Groups to Log Analytics workspace",
"description": "Deploys the diagnostic settings for WVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled"
"displayName": "Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace",
"description": "Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled"
}
},
"WVDWorkspaceLogAnalyticsEffect": {
@ -18839,8 +18839,8 @@
"Disabled"
],
"metadata": {
"displayName": "Deploy Diagnostic Settings for WVD Workspace to Log Analytics workspace",
"description": "Deploys the diagnostic settings for WVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled"
"displayName": "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace",
"description": "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled"
}
},
"WVDHostPoolsLogAnalyticsEffect": {
@ -18851,8 +18851,8 @@
"Disabled"
],
"metadata": {
"displayName": "Deploy Diagnostic Settings for WVD Host pools to Log Analytics workspace",
"description": "Deploys the diagnostic settings for WVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled"
"displayName": "Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace",
"description": "Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The policy wil set the diagnostic with all metrics and category enabled"
}
},
"StorageAccountsLogAnalyticsEffect": {
@ -20267,9 +20267,10 @@
},
"SqlServerTDECMKEffect": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"defaultValue": "Audit",
"allowedValues": [
"AuditIfNotExists",
"Audit",
"Deny",
"Disabled"
],
"metadata": {
@ -20421,7 +20422,7 @@
}
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8",
"policyDefinitionReferenceId": "SqlServerTDECMKEffect",
"parameters": {
"effect": {
@ -20502,18 +20503,6 @@
"description": "App Service. Select version minimum TLS version for a Web App config to enforce"
}
},
"APIAppServiceLatestTlsEffect": {
"metadata": {
"displayName": "App Service API App. Latest TLS version should be used in your API App",
"description": "App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version."
},
"type": "String",
"defaultValue": "AuditIfNotExists",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
]
},
"APIAppServiceHttpsEffect": {
"metadata": {
"displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.",
@ -20848,15 +20837,6 @@
}
}
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
"policyDefinitionReferenceId": "APIAppServiceLatestTlsEffect",
"parameters": {
"effect": {
"value": "[[parameters('APIAppServiceLatestTlsEffect')]"
}
}
},
{
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",
"policyDefinitionReferenceId": "FunctionLatestTlsEffect",

33
docs/wiki/ALZ-Deprecated-Services.md
Просмотреть файл

@ -1,28 +1,35 @@
# Azure Landing Zones Deprecated Services
# Azure Landing Zones Deprecated Policies and Services
## In this section
- [Azure Landing Zones Deprecated Services](#azure-landing-zones-deprecated-services)
- [Deprecated Policies](#deprecated-policies)
- [Deprecated Services](#deprecated-services)
## Overview
As built-in services are further developed by Microsoft, one or more Azure Landing Zone (ALZ) components may be superseded.
As policies and services are further developed by Microsoft, one or more Azure Landing Zone (ALZ) components may be superseded and need to be deprecated.
## Deprecated policies
New Azure Policies are being developed and created constantly as a `built-in` type. Azure Landing Zones (ALZ) policies are not exempt from this, so over time some policies will be included as `built-in` from `ALZ` or `custom` types. This will lead to duplicate policies being created and additional admin overhead of maintenance.
New Azure Policies are being developed and created by product groups that support their services and are typically of the `built-in` type. These new policies often replace legacy policies which get deprecated and usually provide guidance on which policy to use instead. Azure Landing Zones (ALZ) policies are not exempt from this, and over time some policies will be updated to leverage new `built-in` policies instead of ALZ `custom` policies. Through this process, `custom` ALZ policies will be deprecated when new `built-in` policies are available that provide the same capability, which ultimately reduces maintenance overhead for `custom` policies.
Over time, a deprecation process of there `ALZ / custom` policies will have to take place. To learn more about the deprecation process, see the following documentation:
Policies being deprecated:
[Azure Policy - Preview and deprecated policies](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md#preview-and-deprecated-policies)
| Deprecated ALZ Policy | Superseded by built-in policy<br>(includes link to AzAdvertizer) | Justification |
| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
| Deploys NSG flow logs and traffic analytics<br>ID: `Deploy-Nsg-FlowLogs` | [`e920df7f-9a64-4066-9b58-52684c02a091`](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html) | Custom policy replaced by built-in requires less administration overhead |
| Deploys NSG flow logs and traffic analytics to Log Analytics<br>ID: `Deploy-Nsg-FlowLogs-to-LA` | [`e920df7f-9a64-4066-9b58-52684c02a091`](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html) | Custom policy replaced by built-in requires less administration overhead |
|Deny the creation of public IP<br>ID: `Deny-PublicIP` | [`6c112d4e-5bc7-47ae-a041-ea2d9dccd749`](https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html) | Custom policy replaced by built-in requires less administration overhead |
| Latest TLS version should be used in your API App<br>ID: `8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e` | [`f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b`](https://www.azadvertizer.net/azpolicyadvertizer/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b.html) | Deprecated policy in intiative removed as existing policy supercedes it |
| SQL servers should use customer-managed keys to encrypt data at rest<br>ID: `0d134df8-db83-46fb-ad72-fe0c9428c8dd` | [`0a370ff3-6cab-4e85-8995-295fd854c5b8`](https://www.azadvertizer.net/azpolicyadvertizer/0a370ff3-6cab-4e85-8995-295fd854c5b8.html) | Deprecated policy in intiative replaced with new policy |
| RDP access from the Internet should be blocked<br>ID: `Deny-RDP-From-Internet` | [`Deny-MgmtPorts-From-Internet`](https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html) | Deprecated policy as it is superceded by a more flexible policy |
| Deploy SQL Database Transparent Data Encryption<br>ID: [`Deploy SQL Database Transparent Data Encryption`](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Sql-Tde.html) | `86a912f6-9a06-4e26-b447-11b16ba8659f` | Custom policy replaced by built-in requires less administration overhead |
| Deprecated ALZ Policy IDs | Superseded by built-in policy IDs | Justification |
|-----------------------------------------------|--------------------------------------|--------------------------------------------------------------------------|
| Deploy-Nsg-FlowLogs | [e920df7f-9a64-4066-9b58-52684c02a091](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html?) | Custom policy replaced by built-in requires less administration overhead |
| Deploy-Nsg-FlowLogs-to-LA | [e920df7f-9a64-4066-9b58-52684c02a091](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html?) | Custom policy replaced by built-in requires less administration overhead |
| Deny-PublicIP | [6c112d4e-5bc7-47ae-a041-ea2d9dccd749](https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html?) | Custom policy replaced by built-in requires less administration overhead |½
### More Information
- [Azure Policy - Preview and deprecated policies](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md#preview-and-deprecated-policies) - to learn more about the deprecation process.
- [Migrate ALZ Policies to Builtin](https://github.com/Azure/Enterprise-Scale/wiki/Migrate-ALZ-Policies-to-Built%E2%80%90in) - for guidance on how to migrate deprecated ALZ custom policies to Azure built-in policies.
Guidance on how to migrate deprecated ALZ custom policies to Azure built-in policies can be found [here](https://github.com/Azure/Enterprise-Scale/wiki/Migrate-ALZ-Policies-to-Built%E2%80%90in)
## Deprecated services
- Removed `ActivityLog` Solution as an option to be deployed into the Log Analytics Workspace. As this has been superseded by the Activity Log Insights Workbook, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights)
- Removed `ActivityLog` Solution as an option to be deployed into the Log Analytics Workspace, as this has been superseded by the Activity Log Insights Workbook, as documented [here.](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log-insights)

118
docs/wiki/ALZ-Policies.md
Просмотреть файл

@ -40,6 +40,8 @@ The subsequent sections will provide a summary of policy sets and policy set def
> **NOTE**: Although the below sections will define which policy definitions/sets are applied at specific scopes, please remember that policy will inherit within your management group hierarchy.
For convenience, an Excel version of the below information is available [here](media/ALZ%20Policy%20Assignments%20v2.xlsx) (last updated March 2023).
### Intermediate Root
This management group is a parent to all the other management groups created within the default Azure landing zone configuration. Policy assignment is predominantly focused on assignment of security and monitoring best practices to ensure compliance and reduced operational overhead.
@ -55,20 +57,26 @@ This management group is a parent to all the other management groups created wit
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **5** |
| `Policy Definitions` | **1** |
| `Policy Definition Sets` | **9** |
| `Policy Definitions` | **2** |
</td></tr> </table>
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Intermediate Root Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | ------- |
| **Deploy Microsoft Defender for Cloud configuration** | **Deploy Microsoft Defender for Cloud configuration** | `Policy Definition Set`, **Custom** | Configures all the MDFC settings, such as Microsoft Defender for Cloud per individual service, security contacts, and export from MDFC to Log Analytics workspace | DeployIfNotExists | 3.0.0 |
| **Deploy-Resource-Diag** | **Deploy Diagnostic Settings to Azure Services** | `Policy Definition Set`, **Custom** | This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. | DeployIfNotExists | 2.0.0 |
| **Enable Monitoring in Azure Security Center** | **Azure Security Benchmark** | `Policy Definition Set`, **Built-in** | The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v1, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. | Audit, AuditIfNotExists, Disabled | 49.0.0 |
| **Enable Azure Monitor for VMs** | **Enable Azure Monitor for VMs** | `Policy Definition Set`, **Built-in** | Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter | DeployIfNotExists, AuditIfNotExists | 2.0.0 |
| **Enable Azure Monitor for Virtual Machine Scale Sets** | **Enable Azure Monitor for Virtual Machine Scale Sets** | `Policy Definition Set`, **Built-in** | Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | DeployIfNotExists, AuditIfNotExists | 1.0.1 |
| **Deploy Diagnostic Settings for Activity Log to Log Analytics workspace** | **Configure Azure Activity logs to stream to specified Log Analytics workspace** | `Policy Definition`, **Built-in** | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events | DeployIfNotExists | 1.0.0 |
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) |
| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- |
| **Deploy Microsoft Defender for Cloud configuration** | **Deploy Microsoft Defender for Cloud configuration** | `Policy Definition Set`, **Custom** | Configures all the MDFC settings, such as Microsoft Defender for Cloud per individual service, security contacts, and export from MDFC to Log Analytics workspace | DeployIfNotExists |
| **[Preview]: Deploy Microsoft Defender for Endpoint agent** | **[Preview]: Deploy Microsoft Defender for Endpoint agent** | `Policy Definition Set`, **Built-in** | Deploy Microsoft Defender for Endpoint agent on applicable images. | DeployIfNotExists |
| **Deploy-Resource-Diag** | **Deploy Diagnostic Settings to Azure Services** | `Policy Definition Set`, **Custom** | This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. | DeployIfNotExists |
| **Enable Monitoring in Azure Security Center** | **Azure Security Benchmark** | `Policy Definition Set`, **Built-in** | The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v1, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. | Audit, AuditIfNotExists, Disabled |
| **Enable Azure Monitor for VMs** | **Enable Azure Monitor for VMs** | `Policy Definition Set`, **Built-in** | Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter | DeployIfNotExists, AuditIfNotExists |
| **Enable Azure Monitor for Virtual Machine Scale Sets** | **Enable Azure Monitor for Virtual Machine Scale Sets** | `Policy Definition Set`, **Built-in** | Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | DeployIfNotExists, AuditIfNotExists |
| **Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances** | **Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances** | `Policy Definition Set`, **Built-in** | Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists |
| **Configure Advanced Threat Protection to be enabled on open-source relational databases** | **Configure Advanced Threat Protection to be enabled on open-source relational databases** | `Policy Definition Set`, **Built-in** | Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu. | DeployIfNotExists |
| **Deploy Diagnostic Settings for Activity Log to Log Analytics workspace** | **Configure Azure Activity logs to stream to specified Log Analytics workspace** | `Policy Definition`, **Built-in** | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events | DeployIfNotExists |
| **Deny the Deployment of Classic Resources** | **Not allowed resource types** | `Policy Definition`, **Built-in** | Denies deployment of classic resource types under the assigned scope | Deny |
| **Audit-UnusedResourcesCostOptimization** | **Audit-UnusedResourcesCostOptimization** | `Policy Definition Set`, **Custom** | Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost. | Audit |
| **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | `Policy Definition`, **Custom** | Deny virtual machines not using managed disk. It checks the managedDisk property on virtual machine OS Disk fields. | Deny |
### Platform
@ -110,9 +118,9 @@ This management group contains a dedicated subscription for connectivity. This s
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Connectivity Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ------- |
| **Virtual networks should be protected by Azure DDoS Network Protection** | **Virtual networks should be protected by Azure DDoS Network Protection** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify | 1.0.0 |
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) |
| -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- |
| **Virtual networks should be protected by Azure DDoS Network Protection** | **Virtual networks should be protected by Azure DDoS Network Protection** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify |
### Management
@ -135,9 +143,9 @@ This management group contains a dedicated subscription for management, monitori
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Management Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| ------------------------ | ---------------------------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------- |
| **Deploy-Log-Analytics** | **Configure Log Analytics workspace and automation account to centralize logs and monitoring** | `Policy Definition`, **Built-in** | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. | DeployIfNotExists | 2.0.0 |
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) |
| ------------------------ | ---------------------------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ----------------- |
| **Deploy-Log-Analytics** | **Configure Log Analytics workspace and automation account to centralize logs and monitoring** | `Policy Definition`, **Built-in** | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. | DeployIfNotExists |
### Identity
@ -160,12 +168,12 @@ This management group contains a dedicated subscription for identity. This subsc
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Identity Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------- |
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) |
| ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
| **Deny the creation of public IP** | **Not allowed resource types** | `Policy Definition`, **Built-in** | This policy denies creation of Public IPs under the assigned scope. Single parameter value for `listOfResourceTypesNotAllowed` which is `Microsoft.Network/publicIPAddresses` | Deny | 1.0.0 |
| **RDP access from the Internet should be blocked** | **RDP access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows RDP access from Internet. | Deny | 1.0.0 |
| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | 2.0.0 |
| **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | `Policy Definition`, **Built-in** | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. | DeployIfNotExists | 8.0.0 |
| **Management port access from the Internet should be blocked** | **Management port access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows management port access from Internet (Default port 22, 3389). | Deny |
| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny |
| **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | `Policy Definition`, **Built-in** | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. | DeployIfNotExists |
### Landing Zones
@ -182,27 +190,30 @@ This is the parent management group for all the landing zone child management gr
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **1** |
| `Policy Definitions` | **12** |
| `Policy Definition Sets` | **3** |
| `Policy Definitions` | **13** |
</td></tr> </table>
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Landing Zones Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ------- |
| **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | `Policy Definition Set`, **Custom** | Description TBC | Audit, AuditIfNotExists, DeployIfNotExists, Deny | 1.0.0 |
| **RDP access from the Internet should be blocked** | **RDP access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows RDP access from Internet | Deny | 1.0.0 |
| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | 2.0.0 |
| **Network interfaces should disable IP forwarding** | **Network interfaces should disable IP forwarding** | `Policy Definition`, **Built-in** | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. | Deny | 1.0.0 |
| **Secure transfer to storage accounts should be enabled** | **Secure transfer to storage accounts should be enabled** | `Policy Definition`, **Built-in** | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit | 2.0.0 |
| **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | `Policy Definition`, **Built-in** | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. | DeployIfNotExists | 4.0.0 |
| **Auditing on SQL server should be enabled** | **Auditing on SQL server should be enabled** | `Policy Definition`, **Built-in** | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists | 2.0.0 |
| **Deploy Threat Detection on SQL servers** | **Configure Azure Defender to be enabled on SQL servers** | `Policy Definition`, **Built-in** | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists | 2.1.0 |
| **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | `Policy Definition`, **Built-in** | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. | DeployIfNotExists | 8.0.0 |
| **Virtual networks should be protected by Azure DDoS Network Protection** | **Virtual networks should be protected by Azure DDoS Network Protection** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection . | Modify | 1.0.0 |
| **Kubernetes cluster should not allow privileged containers** | **Kubernetes cluster should not allow privileged containers** | `Policy Definition`, **Built-in** | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | 7.2.0 |
| **Kubernetes clusters should not allow container privilege escalation** | **Kubernetes clusters should not allow container privilege escalation** | `Policy Definition`, **Built-in** | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Audit | 4.2.0 |
| **Kubernetes clusters should be accessible only over HTTPS** | **Kubernetes clusters should be accessible only over HTTPS** | `Policy Definition`, **Built-in** | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | 6.1.0 |
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) |
| ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
| **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | **Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit** | `Policy Definition Set`, **Custom** | Description TBC | Audit, AuditIfNotExists, DeployIfNotExists, Deny |
| **Enforce recommended guardrails for Azure Key Vault** | **Enforce recommended guardrails for Azure Key Vault** | `Policy Definition Set`, **Custom** | This policy initiative enforces minimum guardrails for Azure Key Vault: <ul><li>Key vaults should have soft delete enabled (Deny)<li>Key vaults should have purge protection enabled (Deny)<li>Key Vault secrets should have an expiration date (Audit)<li>Key Vault keys should have an expiration date (Audit)<li>Azure Key Vault should have firewall enabled (Audit)<li>Certificates should have the specified lifetime action triggers (Audit)<li>Keys should have more than the specified number of days before expiration (Audit < 90 days)<li>Secrets should have more than the specified number of days before expiration (Audit < 90 days)</ul>| Audit, Deny |
| **Enforce Azure Compute Security Benchmark compliance auditing** | **Enforce Azure Compute Security Benchmark compliance auditing** | `Policy Definition Set`, **Custom** | This policy initiative enables Azure Compute Security Basline compliance auditing for Windows and Linux virtual machines. | AuditIfNotExists |
| **Management port access from the Internet should be blocked** | **Management port access from the Internet should be blocked** | `Policy Definition`, **Custom** | This policy denies any network security rule that allows management port access from Internet (Default port 22, 3389). | Deny |
| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny |
| **Network interfaces should disable IP forwarding** | **Network interfaces should disable IP forwarding** | `Policy Definition`, **Built-in** | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. | Deny |
| **Secure transfer to storage accounts should be enabled** | **Secure transfer to storage accounts should be enabled** | `Policy Definition`, **Built-in** | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit |
| **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | `Policy Definition`, **Built-in** | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. | DeployIfNotExists |
| **Configure SQL servers to have auditing enabled to Log Analytics workspace** | **Configure SQL servers to have auditing enabled to Log Analytics workspace** | `Policy Definition`, **Built-in** | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | DeployIfNotExists |
| **Deploy Threat Detection on SQL servers** | **Configure Azure Defender to be enabled on SQL servers** | `Policy Definition`, **Built-in** | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists |
| **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | **Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy** | `Policy Definition`, **Built-in** | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. | DeployIfNotExists |
| **Virtual networks should be protected by Azure DDoS Network Protection** | **Virtual networks should be protected by Azure DDoS Network Protection** | `Policy Definition`, **Built-in** | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection . | Modify |
| **Kubernetes cluster should not allow privileged containers** | **Kubernetes cluster should not allow privileged containers** | `Policy Definition`, **Built-in** | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny |
| **Kubernetes clusters should not allow container privilege escalation** | **Kubernetes clusters should not allow container privilege escalation** | `Policy Definition`, **Built-in** | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Audit |
| **Kubernetes clusters should be accessible only over HTTPS** | **Kubernetes clusters should be accessible only over HTTPS** | `Policy Definition`, **Built-in** | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny |
| **Web Application Firewall (WAF) should be enabled for Application Gateway** | **Web Application Firewall (WAF) should be enabled for Application Gateway** | `Policy Definition`, **Built-in** | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit |
### Corp
@ -225,13 +236,13 @@ This management group is for corporate landing zones. This group is for workload
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Corp Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| -------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | ------- |
| **Public network access should be disabled for PaaS services** | **Public network access should be disabled for PaaS services** | `Policy Definition Set`, **Custom** | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints | Deny | 1.0.0 |
| **Configure Azure PaaS services to use private DNS zones** | **Configure Azure PaaS services to use private DNS zones** | `Policy Definition Set`, **Custom** | This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones | DeployIfNotExists | 1.0.0 |
| **Prevent usage of Databricks with public IP** | **Deny public IPs for Databricks cluster** | `Policy Definition`, **Custom** | Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. | Deny | 1.0.0 |
| **Enforces the use of Premium Databricks workspaces** | **Deny non-premium Databricks sku** | `Policy Definition`, **Custom** | Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD. | Deny | 1.0.0 |
| **Enforces the use of vnet injection for Databricks** | **Deny Databricks workspaces without Vnet injection** | `Policy Definition`, **Custom** | Enforces the use of vnet injection for Databricks workspaces. | Deny | 1.0.0 |
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) |
| -------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- |
| **Public network access should be disabled for PaaS services** | **Public network access should be disabled for PaaS services** | `Policy Definition Set`, **Custom** | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints | Deny |
| **Configure Azure PaaS services to use private DNS zones** | **Configure Azure PaaS services to use private DNS zones** | `Policy Definition Set`, **Custom** | This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones | DeployIfNotExists |
| **Deny network interfaces having a public IP associated** | **Network interfaces should not have public IPs** | `Policy Definition`, **Built-in** | This policy denies network interfaces from having a public IP associated to it under the assigned scope. | Deny |
| **Deny the deployment of vWAN/ER/VPN gateway resources** | **Not allowed resource types** | `Policy Definition`, **Built-in** | Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone. | Deny |
| **Audit Private Link Private DNS Zone resources** | **Audit the creation of Private Link Private DNS Zones** | `Policy Definition`, **Custom** | Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone. | Audit |
### Online
@ -254,7 +265,7 @@ This management group is for online landing zones. This group is for workloads t
### Decommissioned
This management group is for landing zones that are being cancelled. Cancelled landing zones will be moved to this management group before deletion by Azure after 30-60 days. There are currently no policies assigned at this management group.
This management group is for landing zones that are being cancelled. Cancelled landing zones will be moved to this management group before deletion by Azure after 30-60 days.
<table>
<tr><th>Management Group </th><th>Policy Configuration</th></tr>
@ -267,13 +278,17 @@ This management group is for landing zones that are being cancelled. Cancelled l
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **0** |
| `Policy Definition Sets` | **1** |
| `Policy Definitions` | **0** |
</td></tr> </table>
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) |
| -------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- |
| **Enforce ALZ Decommissioned Guardrails** | **Enforce ALZ Decommissioned Guardrails** | `Policy Definition Set`, **Custom** | This initiative will help enforce and govern subscriptions that are placed within the decommissioned Management Group as part of your Subscription decommissioning process. Policies included: <ul><li>Deny the deployment of new resources<li>Deploy an auto VM shutdown policy at UTC 00:00</ul> | Enforce |
### Sandbox
This management group is for subscriptions that will only be used for testing and exploration by an organization. These subscriptions will be securely disconnected from the corporate and online landing zones. Sandboxes also have a less restrictive set of policies assigned to enable testing, exploration, and configuration of Azure services. There are currently no policies assigned at this management group.
This management group is for subscriptions that will only be used for testing and exploration by an organization. These subscriptions will be securely disconnected from the corporate and online landing zones. Sandboxes also have a less restrictive set of policies assigned to enable testing, exploration, and configuration of Azure services.
<table>
<tr><th>Management Group </th><th>Policy Configuration</th></tr>
@ -286,10 +301,14 @@ This management group is for subscriptions that will only be used for testing an
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **0** |
| `Policy Definition Sets` | **1** |
| `Policy Definitions` | **0** |
</td></tr> </table>
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) |
| -------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- |
| **Enforce ALZ Sandbox Guardrails** | **Enforce ALZ Sandbox Guardrails** | `Policy Definition Set`, **Custom** | This initiative will help enforce and govern subscriptions that are placed within the Sandobx Management Group. Policies included: <ul><li>Deny vNET peering across subscriptions<li>Deny the deployment of vWAN/ER/VPN gateways.</ul> | Enforce |
### Versioning
Each policy definition and initiative contains a version in its metadata section:
@ -305,6 +324,7 @@ Each policy definition and initiative contains a version in its metadata section
]
}
```
To track and review policy and initiative versions, please refer to [AzAdvertizer](https://www.azadvertizer.net/index.html).
This version is incremented according to the following rules (subject to change):
- **Major Version** (**1**.0.0)

4
docs/wiki/Update-ALZ-Custom-Policies-to-Latest.md
Просмотреть файл

@ -28,7 +28,7 @@ These are the following scenarios for ALZ custom policies being updated to lates
### Updating one or more ALZ custom policies to newer ALZ custom policy
For this scenario we will use the ALZ custom policy *Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace*.
For this scenario we will use the ALZ custom policy *Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace*.
Considering no parameters have changed, this is a simple exercise that consists of replacing the policy definition content with the latest policy definition. While it is possible to update the policy definition via the portal GUI, there are some properties than can't be updated, like version. To minimize errors and include all updated policy definition properties, we will be updating this policy via a PowerShell script.
@ -75,7 +75,7 @@ Before we begin, we need to identify the policy definition name and location to
### Updating one or more ALZ custom policies to newer ALZ custom policy with updated parameters
For this scenario, we will use the ALZ custom policy *Deploy Diagnostic Settings for WVD Host Pools to Log Analytics workspace*. Even though this policy doesn't have any updated parameters, we will walk through the steps as though it does.
For this scenario, we will use the ALZ custom policy *Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace*. Even though this policy doesn't have any updated parameters, we will walk through the steps as though it does.
- Go to [Azure Portal](https://portal.azure.com)
- Open Policy

260
docs/wiki/Whats-new.md
Просмотреть файл

@ -2,6 +2,7 @@
- [In this Section](#in-this-section)
- [Updates](#updates)
- [April 2023](#april-2023)
- [March 2023](#march-2023)
- [February 2023](#february-2023)
- [January 2023](#january-2023)
@ -51,6 +52,105 @@ This article will be updated as and when changes are made to the above and anyth
Here's what's changed in Enterprise Scale/Azure Landing Zones:
### April 2023
We are pleased to announce that we are starting regular Azure Policy reviews for Azure Landing Zone. This includes a review of new built-in policies released and their suitability for ALZ, built-in policies that can replace custom ALZ policies, built-in policies that have been deprecated and addition of new ALZ custom policies and initiatives as identified based on best practices, issues raised and customer feedback. Most importantly, we have also provided default assignments for all the new policies at the appropriate ALZ Management Group level. This will ensure that all new policies are automatically assigned to the appropriate scope and will be in compliance with the ALZ baseline. This will also ensure that the ALZ is always up to date with the latest Azure Policy definitions.
This update includes many ALZ Azure Policies and Initiatives that have been added or updated to enhance the security, governance, and management of ALZ. As part of our commitment to continuous improvement, we have also enhanced our policy review process, with a focus on transitioning away from deprecated policies where possible, move from custom to built-in policies providing the same or enhanced functionality, and implementing new policies to keep ALZ as part of the current review cycle.
This is the first major review and refresh of Azure Policy since ALZ was GA'd. Since GA many new built-in policies and initiatives have been released which has driven the need for this review. We believe that a regular review cycle will allow us to stay on top of emerging trends and new policies, ensuring that our Azure environment remains secure and compliant. Should you identify policies or initiatives that should be considered for ALZ, kindly submit an [GitHub issue](https://github.com/Azure/Enterprise-Scale/issues). For more information, please refer to the [ALZ Policies](ALZ-Policies.md) or the new [Excel spreadsheet](media/ALZ%20Policy%20Assignments%20v2.xlsx) version.
We strongly advise staying up-to-date to ensure the best possible security posture for your Azure environment, see [Keep your Azure landing zone up to date](https://aka.ms/alz/update). For those with existing deployments or policies, we have provided [Brownfield guidance](https://aka.ms/alz/brownfield) to help you navigate the process of updating to the latest policies. We recognize that there may be breaking changes when upgrading an existing deployment or policies and for details follow our recently released guidance to support you in this process:
- [Update Azure landing zone custom policies](https://aka.ms/alz/update/custom)
- [Migrate Azure landing zone policies to Azure built-in policies](https://aka.ms/alz/update/builtin)
> **Please note** that, in some cases, moving to the new Built-In Policy definitions, deploying changes to existing custom policies or removing deprecated policies will require a new Policy Assignment and removing the previous Policy Assignment, which will mean compliance history for the Policy Assignment will be lost. However, if you have configured your Activity Logs and Security Center to export to a Log Analytics Workspace, Policy Assignment historic data will be stored here as per the retention duration configured. Thank you for your cooperation, and we look forward to continuing to work with you to ensure the security and compliance of our Azure environment.
> While we've made every effort to test the stability of this release, should you have any issues and the guidance provided does not resolve your issue, please open a [GitHub issue](https://github.com/Azure/Enterprise-Scale/issues) so we can do our best to support you and document the fix for others.
#### Policy
##### Breaking Changes
Note that a number of initiatives have been updated that will fail to deploy if you have existing deployments. This is due to the fact that the number of parameters and default values have changed, as we've added or removed policies from the initiative. To resolve this, you will need to remove the existing initiative assignments and then redeploy the updated initiative.
| Initiative Name | Change | Recommended Action |
| --- | --- | --- |
| [Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) | Removed a deprecated policy, superceding policy is already in the initiative | Remove existing initiative assignment, delete the custom initiative and remove the orphaned identity. Deploy the updated initiative. |
##### New
- New Initiative for the Decommissioned landingzones including policies:
- Initiative name: `Enforce-ALZ-Decomm`
- [Allowed resource types](https://www.azadvertizer.net/azpolicyadvertizer/a08ec900-254a-4555-9bf5-e42af04b5c5c.html) - resources are not allowed to be deployed, however, authorization, lock and tag management are permitted.
- New policy to deploy an auto shutdown policy for virtual machines - Deploy-Vm-autoShutdown
- Portal accelerator updated with additional tab and options to enable this initiative.
- New Initiative for the Sandboxes landingzones including policies:
- Initiative name: `Enforce-ALZ-Sanbox`
- [Not allowed resource types](https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html) - blocking the deployment of ER/VPN/vWAN
- [Deny vNet peering cross subscription.](https://www.azadvertizer.net/azpolicyadvertizer/Deny-VNET-Peer-Cross-Sub.html)
- Portal accelerator updated with additional tab and options to enable this initiative.
- Added initiative assignment [[Preview]: Deploy Microsoft Defender for Endpoint agent](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/e20d08c5-6d64-656d-6465-ce9e37fd0ebc.html) to 'Intermediate Root' Management Group.
- Added assignment of [Network interfaces should not have public IPs](https://www.azadvertizer.net/azpolicyadvertizer/83a86a26-fd1f-447c-b59d-e51f44264114.html) built-in Policy to the 'Corp' Management Group.
- Added new initiative and assignment to implement recommended guardrails for Azure Key Vault at the landing zones management group
- Initiative name: `ENFORCE-Guardrails-KeyVault`
- Policies included: [ALZ Polices](https://aka.ms/alz/policies)
- Portal accelerator updated
- Added two new policy assignments to govern Corp Management Group networking:
- `DENY-HybridNetworking` - blocks the provisioning of vWAN/ER/VPN, including gateways, in Corp
- `AUDIT-PeDnsZones` - audits the provisioning of Private Link Private DNS Zones in Corp
- **NOTE**: The policy default values include all the static Private DNS Zones only. When assigned via the ALZ portal experience the assignment includes all the Private DNS Zones that are deployed as part of the ALZ Portal experience, including the geo code/regional zones for Azure Backup, AKS etc.
- Added new policy assignment to audit WAF enabled on Application Gateways (`Audit-AppGW-WAF`)
- Added new initiative and assignment to enable Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines (`Enforce-ACSB`)
- Added new Diagnostic setting category for Host Pools Diagnostic Settings to `Deploy-Diagnostics-WVDHostPools`
- `ConnectionGraphicsData`
- Added new Diagnostic setting category for EventGrid Topics Diagnostic Settings to `Deploy-Diagnostics-EventGridTopic`
- `DataPlaneRequests`
- Added two new policy initiative assignments to enable Advanced Threat Detection for databases at intermediate root:
- [Configure Advanced Threat Protection to be enabled on open-source relational databases](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e.html)
- [Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97.html)
- Add new Azure Policy Initiative and assignment [(Audit-UnusedResourcesCostOptimization)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Audit-UnusedResourcesCostOptimization.html), at the intermediate root management group (e.g. `contoso`), to audit unused resources that are driving costs.
- Added new assignment to deny deployment of virtual machines and virtual machine scale sets using unmanaged OS disks.
- Added a policy assignment to deny Classic resources at the `Intermediate Root` management group
##### Update
- Removed deprecated policy [[Deprecated]: Latest TLS version should be used in your API App (azadvertizer.net)](https://www.azadvertizer.net/azpolicyadvertizer/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e.html) from initiative [Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) as recommended policy is already included in the initiative.
- **BREAKING CHANGE** (parameters changed):
- Delete assignment [Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html).
- Delete custom initiative prior to applying updates as parameters have changed, then re-assign.
- Delete orphaned indentity on Landing Zone scope.
- Deploy new initiative on Landing Zone scope.
- Updated initiative [Deny or Audit resources without Encryption with a customer-managed key (CMK) (azadvertizer.net)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK.html) deprecated policy [[Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest](https://www.azadvertizer.net/azpolicyadvertizer/0d134df8-db83-46fb-ad72-fe0c9428c8dd.html) to new policy [Azure Policy definition SQL servers should use customer-managed keys to encrypt data at rest](https://www.azadvertizer.net/azpolicyadvertizer/0a370ff3-6cab-4e85-8995-295fd854c5b8.html)
- Updated intiative and assignment [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config.html) to include the new policies:
- [[Preview]: Configure Microsoft Defender for APIs should be enabled](https://www.azadvertizer.net/azpolicyadvertizer/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6.html)
- [Configure Microsoft Defender CSPM to be enabled](https://www.azadvertizer.net/azpolicyadvertizer/689f7782-ef2c-4270-a6d0-7664869076bd.html)
- [Configure machines to receive a vulnerability assessment provider](https://www.azadvertizer.net/azpolicyadvertizer/13ce0167-8ca6-4048-8e6b-f996402e3c1b.html)
- [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html)
- [Configure Azure Kubernetes Service clusters to enable Defender profile](https://www.azadvertizer.net/azpolicyadvertizer/64def556-fbad-4622-930e-72d1d5589bf5.html)
- Replaced policy assignment "Auditing on SQL server should be enabled" with "Configure SQL servers to have auditing enabled to Log Analytics workspace" on `Landing Zones` Management Group, to suitably assign respective DINE policy definition, instead of AINE
- Deprecated `Deny-RDP-From-Internet` and added new policy `Deny-MgmtPorts-From-Internet` which is more flexible and blocks port 22 and 3389 by default
- Updated the initiative `Deny-PublicPaaSEndpoints` to include additional policies available to block public access for PaaS services
- Updated [storage](https://www.azadvertizer.net/azpolicyadvertizer/b2982f36-99f2-4db5-8eff-283140c09693.html) and [Key Vault](https://www.azadvertizer.net/azpolicyadvertizer/405c5871-3e91-4644-8a63-58e19d68ff5b.html) to use new policies using the `/publicNetworkAccess` alias
- Added new policy to inintiative that enablies diagnostic settings for VWAN S2S and added as part of diagnostic settings policy initiative.
- Updated ALZ Policies wiki:
- Removed the "Version" column to improve readability.
- Added the option to download an Excel file with all the policy/initiative assigments.
- Update ALZ Policies wiki: Excel file with all the policy/initiative assigments.
- Renamed Policies from `WVD` to `AVD` - Display names and Descriptions only
- Update the `Deploy SQL Database built-in SQL security configuration` initiative to point to the built-in policy [Deploy SQL DB transparent data encryption](https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html) instead of the deprecated custom policy `Deploy SQL Database built-in SQL security configuration`.
##### Retire
- Deprecated the custom ALZ policy `Deploy SQL Database Transparent Data Encryption` as there is now a built-in policy available in Azure Policy [Deploy SQL DB transparent data encryption](https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html).
- No longer assign Databricks custom policies at `Corp` management group scope. Policies:
- Deny-Databricks-NoPublicIp
- Deny-Databricks-Sku
- Deny-Databricks-VirtualNetwork
> If you are not using these policies, we advise you remove the assignment at `Corp` management group level, if you are not utilizing them.
### March 2023
#### Docs
@ -93,20 +193,21 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
#### Docs
- Migrated the following pages to the [Enterprise-Scale Wiki](https://github.com/Azure/Enterprise-Scale/wiki/)
| Original URL | New URL |
| --- | --- |
| [docs/ESLZ-Policies.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) | [wiki/ALZ-Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) |
| [docs/EnterpriseScale-Architecture.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Architecture.md) | [wiki/ALZ-Architecture](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Architecture) |
| [docs/EnterpriseScale-Contribution.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Contribution.md) | [wiki/ALZ-Contribution](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Contribution) |
| [docs/EnterpriseScale-Deploy-landing-zones.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-landing-zones.md) | [wiki/ALZ-Deploy-landing-zones](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-landing-zones) |
| [docs/EnterpriseScale-Deploy-reference-implentations.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-reference-implentations.md) | [wiki/ALZ-Deploy-reference-implementations](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-reference-implementations) |
| [docs/EnterpriseScale-Deploy-workloads.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-workloads.md) | [wiki/ALZ-Deploy-workloads](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-workloads) |
| [docs/EnterpriseScale-Known-Issues.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Known-Issues.md) | [wiki/ALZ-Known-Issues](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Known-Issues) |
| [docs/EnterpriseScale-Roadmap.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Roadmap.md) | [wiki/ALZ-Roadmap](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Roadmap) |
| [docs/EnterpriseScale-Setup-aad-permissions.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-aad-permissions.md) | [wiki/ALZ-Setup-aad-permissions](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-aad-permissions) |
| [docs/EnterpriseScale-Setup-azure.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md) | [wiki/ALZ-Setup-azure](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-azure) |
| Original URL | New URL |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| [docs/ESLZ-Policies.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) | [wiki/ALZ-Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) |
| [docs/EnterpriseScale-Architecture.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Architecture.md) | [wiki/ALZ-Architecture](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Architecture) |
| [docs/EnterpriseScale-Contribution.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Contribution.md) | [wiki/ALZ-Contribution](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Contribution) |
| [docs/EnterpriseScale-Deploy-landing-zones.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-landing-zones.md) | [wiki/ALZ-Deploy-landing-zones](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-landing-zones) |
| [docs/EnterpriseScale-Deploy-reference-implentations.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-reference-implentations.md) | [wiki/ALZ-Deploy-reference-implementations](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-reference-implementations) |
| [docs/EnterpriseScale-Deploy-workloads.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Deploy-workloads.md) | [wiki/ALZ-Deploy-workloads](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-workloads) |
| [docs/EnterpriseScale-Known-Issues.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Known-Issues.md) | [wiki/ALZ-Known-Issues](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Known-Issues) |
| [docs/EnterpriseScale-Roadmap.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Roadmap.md) | [wiki/ALZ-Roadmap](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Roadmap) |
| [docs/EnterpriseScale-Setup-aad-permissions.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-aad-permissions.md) | [wiki/ALZ-Setup-aad-permissions](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-aad-permissions) |
| [docs/EnterpriseScale-Setup-azure.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md) | [wiki/ALZ-Setup-azure](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-azure) |
- Updated the guidance for contributing to the [Azure/Enterprise-Scale](https://github.com/Azure/Enterprise-Scale/) repository
#### Tooling
@ -117,7 +218,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
- Updated "**Deploy Diagnostic Settings to Azure Services**" initiative replacing deprecated policy for diagnostic settings on Storage Account
- Removed all exclusions (parameters) from the Microsoft Cloud Security Benchmark (currently Azure Security Benchmark) initiative assignment to standardize across reference architectures and align with best practice.
Impacted assignment: Deploy-ASC-Monitoring
Impacted assignment: Deploy-ASC-Monitoring
- Updated "**Deploy Diagnostic Settings for Data Factory to Log Analytics workspace" to include new categories of: `SandboxPipelineRuns` & `SandboxActivityRuns`
- Add missing `minimalSeverity` parameter to `Deploy-ASC-SecurityContacts` Policy Definition
@ -134,7 +235,7 @@ Impacted assignment: Deploy-ASC-Monitoring
- Included documentation on how to [Migrate ALZ custom policies to Azure builtin policies](migrate-alz-policies-to-builtin.md) to the Wiki.
- Added links to the superseding policies on the [ALZ Deprecated Services](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deprecated-Services#deprecated-policies) page.
- Renamed Azure Security Benchmark references to [Microsoft Cloud Security Benchmark](https://learn.microsoft.com/security/benchmark/azure/introduction).
#### Tooling
- Updated ALZ Portal Accelerator to support all available Availability Zones as listed [here](https://learn.microsoft.com/azure/reliability/availability-zones-service-support#azure-regions-with-availability-zone-support)
@ -144,16 +245,20 @@ Impacted assignment: Deploy-ASC-Monitoring
- "**Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace**" definition added and also added to `Deploy-Diagnostics-LogAnalytics` initiative
- "**Deploy Diagnostic Settings for Databricks to Log Analytics workspace**" definition update
- Version 1.1.0 -> 1.2.0
- Added missing log categories
- "**Deploy SQL Database security Alert Policies configuration with email admin accounts**" definition update
- Version 1.0.0 -> 1.1.1
- Changed email addresses from hardcoding to array parameter
- "**Deploy SQL Database Transparent Data Encryption**" definition update
- Version 1.0.0 -> 1.1.0
- Added system databases master, model, tempdb, msdb, resource to exclusion parameter as default values
- Added as Policy Rule 'notIn' which will exclude the above databases from the policy
- Updated "**Deploy-Private-DNS-Zones**" Custom initiative for **Azure Public Cloud**, with latest built-in Policies. Policies were added for the following Services:
- Azure Automation
- Azure Cosmos DB (all APIs: SQL, MongoDB, Cassandra, Gremlin, Table)
- Azure Data Factory
@ -164,6 +269,7 @@ Impacted assignment: Deploy-ASC-Monitoring
- Azure Media Services
- Azure Monitor
- Minor fixes related to "**Deploy-Private-DNS-Zones**" Custom Initiative and respective Assignment:
- Added missing Zones for **"WebPubSub"** and **"azure-devices-provisioning"**, so Initiative Assignment works correctly
- Minor correction related to **ASR Private DNS Zone variable**, so Initiative Assignment works correctly
- Conversion of **"Azure Batch"** Private DNS Zone (from regional to global), to properly align with latest respective documentation and functionality
@ -172,29 +278,32 @@ Impacted assignment: Deploy-ASC-Monitoring
- Added `Configure Microsoft Defender for Azure Cosmos DB to be enabled` to the `Deploy Microsoft Defender for Cloud configuration` initiative and updated version to `3.1.0` - Fixing issue [issue #1081](https://github.com/Azure/Enterprise-Scale/issues/1081)
- Added `AZFWFlowTrace` category for Azure Firewall in associated Diagnostic Policy
- Deprecated the following ALZ policies
- [Deploy-Nsg-FlowLogs](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Nsg-FlowLogs.html)
- [Deploy-Nsg-FlowLogs-to-LA](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Nsg-FlowLogs-to-LA.html)
- [Deny-PublicIp](https://www.azadvertizer.net/azpolicyadvertizer/Deny-PublicIP.html)
in favour of Azure built-in policies with the same or enhanced functionality.
| ALZ Policy ID(s) | Azure Builti-in Policy ID(s) |
|------------------------------------------------|--------------------------------------|
| Deploy-Nsg-FlowLogs-to-LA | e920df7f-9a64-4066-9b58-52684c02a091 |
| Deploy-Nsg-FlowLogs | e920df7f-9a64-4066-9b58-52684c02a091 |
| Deny-PublicIp | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 |
| ALZ Policy ID(s) | Azure Builti-in Policy ID(s) |
| --------------------------- | -------------------------------------- |
| Deploy-Nsg-FlowLogs-to-LA | e920df7f-9a64-4066-9b58-52684c02a091 |
| Deploy-Nsg-FlowLogs | e920df7f-9a64-4066-9b58-52684c02a091 |
| Deny-PublicIp | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 |
- "**"Deploy-ASC-SecurityContacts"**" definition update
- displayName and description update to "Deploy Microsoft Defender for Cloud Security Contacts"
- Added new parameter `minimalSeverity` with settings
- Default value `High`
- Allowed values: `High`, `Medium`, `Low`
- "**"Deploy-MDFC-Config"**" definition update
- Updated policy definitions set Deploy-MDFC-Config, Deploy-MDFC-Config(US Gov), Deploy-MDFC-Config (China)
- added new parameter `minimalSeverity`.
- added default value for multiple parameters.
### Other
- *No updates, yet.*
@ -243,7 +352,7 @@ Impacted assignment: Deploy-ASC-Monitoring
#### Docs
- Updated the Enterprise-scale [Wiki](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/) to reflect the latest updates on Azure landing zone accelerator.
- [Deploy Azure landing zone portal accelerator](./Deploying-ALZ)
- [Deployment guidance for Small Enterprises](./Deploying-ALZ-BasicSetup)
- [How to deploy without hybrid connectivity](./Deploying-ALZ-Foundation)
@ -334,7 +443,7 @@ Impacted assignment: Deploy-ASC-Monitoring
- Add 2 new categories for Host Pools Diagnostic Settings
- `NetworkData`
- `SessionHostManagement`
- Added AVD Scaling Plans Diagnostic Settings called `Deploy-Diagnostics-AVDScalingPlans` for Azure Public only - as not supported in Fairfax or Mooncake as per <https://learn.microsoft.com/azure/virtual-desktop/autoscale-scaling-plan> - Fixing issue [issue #962](https://github.com/Azure/Enterprise-Scale/issues/962)
- Added AVD Scaling Plans Diagnostic Settings called `Deploy-Diagnostics-AVDScalingPlans` for Azure Public only - as not supported in Fairfax or Mooncake as per [https://learn.microsoft.com/azure/virtual-desktop/autoscale-scaling-plan](https://docs.microsoft.com/azure/virtual-desktop/autoscale-scaling-plan) - Fixing issue [issue #962](https://github.com/Azure/Enterprise-Scale/issues/962)
- Added to `Deploy-Diagnostics-LogAnalytics` Policy Initiative
- Added additional log categories to `Deploy-Diagnostics-Firewall` for Azure Firewall Diagnostic Settings Policy - Fixing issue [issue #985](https://github.com/Azure/Enterprise-Scale/issues/985)
- Added additional log categories to `Deploy-Diagnostics-APIMgmt` for Azure API Management Diagnostic Settings Policy - Fixing issue [issue #986](https://github.com/Azure/Enterprise-Scale/issues/986)
@ -448,7 +557,7 @@ Impacted assignment: Deploy-ASC-Monitoring
- Updated portal experiences for Public and Fairfax
| Policy Definition Display Name | Policy Definition ID | Note |
| ----------------------------------------------------------------------------- | ------------------------------------ | ------------------------------------------------------ |
| ------------------------------------------------------------------------------- | -------------------------------------- | -------------------------------------------------------- |
| [Deprecated]: Configure Azure Defender for container registries to be enabled | d3d1e68e-49d4-4b56-acff-93cef644b432 | REMOVED - Old ACR policy |
| [Deprecated]: Configure Azure Defender for Kubernetes to be enabled | 133047bf-1369-41e3-a3be-74a11ed1395a | REMOVED - Old AKS Policy |
| Configure Microsoft Defender for Containers to be enabled | c9ddb292-b203-4738-aead-18e2716e858f | ADDED - New grouped containers policy for the new plan |
@ -478,7 +587,7 @@ Impacted assignment: Deploy-ASC-Monitoring
- The following policy definitions for Microsoft Defender for Cloud configurations are not available as built-in in Azure China. The policy set definition will be updated as when these policy definitions are available:
- defenderForOssDb, defenderForSqlServerVirtualMachines, defenderForAppServices, defenderForAppServices, defenderForStorageAccounts, defenderForKeyVaults, defenderForDns, defenderForArm
### November 2021
#### Docs
@ -492,11 +601,10 @@ Impacted assignment: Deploy-ASC-Monitoring
### Policy
- Replaced `Deploy-Default-Udr` policy with `Deploy-Custom-Route-Table` that allows deploying custom route tables with an arbitrary set of UDRs (including a 0/0 default route if needed). See [here](https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/deploy-policy-driven-routing.md) for usage details.
- Updated `Deploy-Budget` policy, to v1.1.0, adding new parameter of `budgetName` that defaults to: `budget-set-by-policy` - closing issue [#842](https://github.com/Azure/Enterprise-Scale/issues/842)
- Including Fairfax
- Also Mooncake (Azure China) even though not in use yet
- Added `AuditEvent` to `Deploy-Diagnostics-AA` Policy Definition to ensure correct compliance reporting on Automation Account used for diagnostics - closing issue [#864](https://github.com/Azure/Enterprise-Scale/issues/864)
### Other
@ -510,7 +618,7 @@ Impacted assignment: Deploy-ASC-Monitoring
#### Docs
- Updates to [User Guide](https://github.com/Azure/Enterprise-Scale/wiki) to include instructions for deploying each of the reference implementations.
- Updated Deploying Enterprise Scale wiki page with updated workflow steps. (<https://github.com/Azure/Enterprise-Scale/pull/827>)
- Updated Deploying Enterprise Scale wiki page with updated workflow steps. ([https://github.com/Azure/Enterprise-Scale/pull/827](https://github.com/Azure/Enterprise-Scale/pull/827))
- Updated [implementation FAQ](https://github.com/Azure/Enterprise-Scale/wiki/FAQ) and moved to the Wiki
- Added [architecture FAQ](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/faq) to the CAF docs
@ -542,23 +650,23 @@ Impacted assignment: Deploy-ASC-Monitoring
#### Docs
- Added reference to Enterprise-Scale Analytics (<https://github.com/Azure/Enterprise-Scale/pull/809>)
- Added Do-It-Yourself instructions for deploying Enterprise-Scale in Azure China regions (<https://github.com/Azure/Enterprise-Scale/pull/802>)
- Added reference to Enterprise-Scale Analytics ([https://github.com/Azure/Enterprise-Scale/pull/809](https://github.com/Azure/Enterprise-Scale/pull/809))
- Added Do-It-Yourself instructions for deploying Enterprise-Scale in Azure China regions ([https://github.com/Azure/Enterprise-Scale/pull/802](https://github.com/Azure/Enterprise-Scale/pull/802))
#### Tooling
- Added Option to select Azure Firewall SKU (<https://github.com/Azure/Enterprise-Scale/pull/793>)
- Added Option to select Azure Firewall SKU ([https://github.com/Azure/Enterprise-Scale/pull/793](https://github.com/Azure/Enterprise-Scale/pull/793))
- [AzOps release v1.5.0](https://github.com/Azure/AzOps/releases/tag/1.5.0)
- Enabled support for Enterprise-Scale landing zones deployments to Azure gov (<https://github.com/Azure/Enterprise-Scale/pull/820>)
- Enabled support for Enterprise-Scale landing zones deployments to Azure gov ([https://github.com/Azure/Enterprise-Scale/pull/820](https://github.com/Azure/Enterprise-Scale/pull/820))
### Policy
| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | Built-In Policy Name/ID | Built-In Policy Display Name | Built-In Category | Notes |
| :--------------------------------------: | :---------------------------------------------------------------: | :--------------: | :---------------------: | :--------------------------: | :---------------: | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
| Deny-Databricks-NoPublicIp | Deny public IPs for Databricks cluster | Databricks | | | | Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. |
| Deny-Databricks-Sku | Deny non-premium Databricks sku | Databricks | | | | Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD. |
| Deny-Databricks-VirtualNetwork | Deny Databricks workspaces without Vnet injection | Databricks | | | | Enforces the use of vnet injection for Databricks workspaces. |
| Deny-MachineLearning-PublicNetworkAccess | Azure Machine Learning should have disabled public network access | Machine Learning | | | | Denies public network access for Azure Machine Learning workspaces. |
| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | Built-In Policy Name/ID | Built-In Policy Display Name | Built-In Category | Notes |
| :----------------------------------------: | :-----------------------------------------------------------------: | :----------------: | :-----------------------: | :----------------------------: | :-----------------: | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
| Deny-Databricks-NoPublicIp | Deny public IPs for Databricks cluster | Databricks | | | | Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. |
| Deny-Databricks-Sku | Deny non-premium Databricks sku | Databricks | | | | Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD. |
| Deny-Databricks-VirtualNetwork | Deny Databricks workspaces without Vnet injection | Databricks | | | | Enforces the use of vnet injection for Databricks workspaces. |
| Deny-MachineLearning-PublicNetworkAccess | Azure Machine Learning should have disabled public network access | Machine Learning | | | | Denies public network access for Azure Machine Learning workspaces. |
### Other
@ -580,7 +688,7 @@ Impacted assignment: Deploy-ASC-Monitoring
- [Do-It-Yourself deployment instructions for Enterprise-Scale using Azure PowerShell released](https://github.com/Azure/Enterprise-Scale/tree/main/eslzArm)
- Update subscription filter in reference implementation UI experience. Subscriptions with state != "Enabled" will be excluded from the list of available subscriptions.
- Removed old codebase for the different reference implementations, and converged to a single [ARM codebase](https://github.com/Azure/Enterprise-Scale/tree/main/eslzArm)
- Improved Network CIDR Range Validation within the Azure Portal experience (<https://github.com/Azure/Enterprise-Scale/pull/767>).
- Improved Network CIDR Range Validation within the Azure Portal experience ([https://github.com/Azure/Enterprise-Scale/pull/767](https://github.com/Azure/Enterprise-Scale/pull/767)).
#### Policy
@ -629,47 +737,47 @@ Impacted assignment: Deploy-ASC-Monitoring
- Various custom ESLZ Azure Policies have moved to Built-In Azure Policies, see below table for more detail:
> You may continue to use the ESLZ custom Azure Policy as it will still function as it does today. However, we recommend you move to assigning the new Built-In version of the Azure Policy.
>
>
> **Please note** that moving to the new Built-In Policy Definition will require a new Policy Assignment and removing the previous Policy Assignment, which will mean compliance history for the Policy Assignment will be lost. However, if you have configured your Activity Logs and Security Center to export to a Log Analytics Workspace; Policy Assignment historic data will be stored here as per the retention duration configured.
**Policy Definitions Updates**
| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | Built-In Policy Name/ID | Built-In Policy Display Name | Built-In Category | Notes |
| :----------------------------------------------: | :-----------------------------------------------------------------------------------: | :-------------: | :----------------------------------: | :----------------------------------------------------------------------------------------------------------------: | :---------------: | :----------------------------------------------------------------------------------------------------------------------------------: |
| Deny-PublicEndpoint-Aks | Public network access on AKS API should be disabled | Kubernetes | 040732e8-d947-40b8-95d6-854c95024bf8 | Azure Kubernetes Service Private Clusters should be enabled | Kubernetes | |
| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | Built-In Policy Name/ID | Built-In Policy Display Name | Built-In Category | Notes |
| :------------------------------------------------: | :-------------------------------------------------------------------------------------: | :---------------: | :------------------------------------: | :------------------------------------------------------------------------------------------------------------------: | :-----------------: | :------------------------------------------------------------------------------------------------------------------------------------: |
| Deny-PublicEndpoint-Aks | Public network access on AKS API should be disabled | Kubernetes | 040732e8-d947-40b8-95d6-854c95024bf8 | Azure Kubernetes Service Private Clusters should be enabled | Kubernetes | |
| Deny-PublicEndpoint-CosmosDB | Public network access should be disabled for CosmosDB | SQL | 797b37f7-06b8-444c-b1ad-fc62867f335a | Azure Cosmos DB should disable public network access | Cosmos DB | |
| Deny-PublicEndpoint-KeyVault | Public network access should be disabled for KeyVault | Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | [Preview]: Azure Key Vault should disable public network access | Key Vault | |
| Deny-PublicEndpoint-MySQL | Public network access should be disabled for MySQL | SQL | c9299215-ae47-4f50-9c54-8a392f68a052 | Public network access should be disabled for MySQL flexible servers | SQL | |
| Deny-PublicEndpoint-KeyVault | Public network access should be disabled for KeyVault | Key Vault | 55615ac9-af46-4a59-874e-391cc3dfb490 | [Preview]: Azure Key Vault should disable public network access | Key Vault | |
| Deny-PublicEndpoint-MySQL | Public network access should be disabled for MySQL | SQL | c9299215-ae47-4f50-9c54-8a392f68a052 | Public network access should be disabled for MySQL flexible servers | SQL | |
| Deny-PublicEndpoint-PostgreSql | Public network access should be disabled for PostgreSql | SQL | 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 | Public network access should be disabled for PostgreSQL flexible servers | SQL | |
| Deny-PublicEndpoint-Sql | Public network access on Azure SQL Database should be disabled | SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | SQL | |
| Deny-PublicEndpoint-Storage | Public network access onStorage accounts should be disabled | Storage | 34c877ad-507e-4c82-993e-3452a6e0ad3c | Storage accounts should restrict network access | Storage | |
| Deploy-Diagnostics-AKS | Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace | Monitoring | 6c66c325-74c8-42fd-a286-a74b0e2939d | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Kubernetes | |
| Deploy-Diagnostics-Batch | Deploy Diagnostic Settings for Batch to Log Analytics workspace | Monitoring | c84e5349-db6d-4769-805e-e14037dab9b5 | Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-DataLakeStore | Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace | Monitoring | d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 | Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-EventHub | Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace | Monitoring | 1f6e93e8-6b31-41b1-83f6-36e449a42579 | Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-KeyVault | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-LogicAppsWF | Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace | Monitoring | b889a06c-ec72-4b03-910a-cb169ee18721 | Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Monitoring | ~~This is currently not assigned as per [#691](https://github.com/Azure/Enterprise-Scale/issues/691)~~ |
| Deploy-Diagnostics-RecoveryVault | Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace | Monitoring | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories | Backup | |
| Deploy-Diagnostics-SearchServices | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Monitoring | 08ba64b8-738f-4918-9686-730d2ed79c7d | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-ServiceBus | Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace | Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-SQLDBs | Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace | Monitoring | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | SQL | |
| Deploy-Diagnostics-StreamAnalytics | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Monitoring | 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Monitoring | |
| Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint | Deploy DNS Zone Group for Storage-Blob Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! |
| Deploy-DNSZoneGroup-For-File-PrivateEndpoint | Deploy DNS Zone Group for Storage-File Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! |
| Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint | Deploy DNS Zone Group for Key Vault Private Endpoint | Network | ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 | [Preview]: Configure Azure Key Vaults to use private DNS zones | Key Vault |
| Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint | Deploy DNS Zone Group for Storage-Queue Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! |
| Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint | Deploy DNS Zone Group for SQL Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! |
| Deploy-DNSZoneGroup-For-Table-PrivateEndpoint | Deploy DNS Zone Group for Storage-Table Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! |
| Deploy-LA-Config | Deploy the configurations to the Log Analytics in the subscription | Monitoring | ***Policy Removed*** | ***Policy Removed*** | TBC | This policy has been removed as it is handled as a resource deployment in the ARM templates, portal experience and Terraform module. |
| Deploy-Log-Analytics | Deploy the Log Analytics in the subscription | Monitoring | 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 | Configure Log Analytics workspace and automation account to centralize logs and monitoring | Monitoring | |
| Deny-PublicEndpoint-Sql | Public network access on Azure SQL Database should be disabled | SQL | 1b8ca024-1d5c-4dec-8995-b1a932b41780 | Public network access on Azure SQL Database should be disabled | SQL | |
| Deny-PublicEndpoint-Storage | Public network access onStorage accounts should be disabled | Storage | 34c877ad-507e-4c82-993e-3452a6e0ad3c | Storage accounts should restrict network access | Storage | |
| Deploy-Diagnostics-AKS | Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace | Monitoring | 6c66c325-74c8-42fd-a286-a74b0e2939d | Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace | Kubernetes | |
| Deploy-Diagnostics-Batch | Deploy Diagnostic Settings for Batch to Log Analytics workspace | Monitoring | c84e5349-db6d-4769-805e-e14037dab9b5 | Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-DataLakeStore | Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace | Monitoring | d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 | Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-EventHub | Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace | Monitoring | 1f6e93e8-6b31-41b1-83f6-36e449a42579 | Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-KeyVault | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Monitoring | bef3f64c-5290-43b7-85b0-9b254eef4c47 | Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-LogicAppsWF | Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace | Monitoring | b889a06c-ec72-4b03-910a-cb169ee18721 | Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Monitoring | ~~This is currently not assigned as per [#691](https://github.com/Azure/Enterprise-Scale/issues/691)~~ |
| Deploy-Diagnostics-RecoveryVault | Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace | Monitoring | c717fb0c-d118-4c43-ab3d-ece30ac81fb3 | Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories | Backup | |
| Deploy-Diagnostics-SearchServices | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Monitoring | 08ba64b8-738f-4918-9686-730d2ed79c7d | Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-ServiceBus | Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace | Monitoring | 04d53d87-841c-4f23-8a5b-21564380b55e | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Monitoring | |
| Deploy-Diagnostics-SQLDBs | Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace | Monitoring | b79fa14e-238a-4c2d-b376-442ce508fc84 | Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace | SQL | |
| Deploy-Diagnostics-StreamAnalytics | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Monitoring | 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 | Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Monitoring | |
| Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint | Deploy DNS Zone Group for Storage-Blob Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! |
| Deploy-DNSZoneGroup-For-File-PrivateEndpoint | Deploy DNS Zone Group for Storage-File Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! |
| Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint | Deploy DNS Zone Group for Key Vault Private Endpoint | Network | ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 | [Preview]: Configure Azure Key Vaults to use private DNS zones | Key Vault | |
| Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint | Deploy DNS Zone Group for Storage-Queue Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! |
| Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint | Deploy DNS Zone Group for SQL Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! |
| Deploy-DNSZoneGroup-For-Table-PrivateEndpoint | Deploy DNS Zone Group for Storage-Table Private Endpoint | Network | TBC | TBC | TBC | This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon! |
| Deploy-LA-Config | Deploy the configurations to the Log Analytics in the subscription | Monitoring | ***Policy Removed*** | ***Policy Removed*** | TBC | This policy has been removed as it is handled as a resource deployment in the ARM templates, portal experience and Terraform module. |
| Deploy-Log-Analytics | Deploy the Log Analytics in the subscription | Monitoring | 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 | Configure Log Analytics workspace and automation account to centralize logs and monitoring | Monitoring | |
**Policy Initiatives Updates**
| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | New Policy Name/ID | New Policy Display Name | New Category | Notes |
| :----------------------: | :--------------------------------------------------------: | :-------------: | :-----------------------------: | :--------------------------------------------------------: | :----------: | :-----------------------------------------------------------------------: |
| Custom ESLZ Policy Name | Custom ESLZ Policy Display Name | Custom Category | New Policy Name/ID | New Policy Display Name | New Category | Notes |
| :------------------------: | :----------------------------------------------------------: | :---------------: | :-------------------------------: | :----------------------------------------------------------: | :------------: | :-------------------------------------------------------------------------: |
| Deploy-Diag-LogAnalytics | Deploy Diagnostic Settings to Azure Services | N/A | Deploy-Diagnostics-LogAnalytics | Deploy Diagnostic Settings to Azure Services | Monitoring | Moved to using a mix of Built-In (as above) and custom policy definitions |
| Deny-PublicEndpoints | Public network access should be disabled for PAAS services | Network | Deny-PublicPaaSEndpoints | Public network access should be disabled for PaaS services | N/A | Moved to using Built-In policy definitions only (as above) |
| ***New Policy*** | ***New Policy*** | N/A | Deploy-Private-DNS-Zones | Configure Azure PaaS services to use private DNS zones | Network | |
| Deny-PublicEndpoints | Public network access should be disabled for PAAS services | Network | Deny-PublicPaaSEndpoints | Public network access should be disabled for PaaS services | N/A | Moved to using Built-In policy definitions only (as above) |
| ***New Policy*** | ***New Policy*** | N/A | Deploy-Private-DNS-Zones | Configure Azure PaaS services to use private DNS zones | Network | |
- Moved several of the diagnostics Policies to built-in, and updating the diagnostics Initiative
- This means there's a new resource name as update of existing one is not be allowed due to removal of parameters
@ -710,4 +818,4 @@ Impacted assignment: Deploy-ASC-Monitoring
#### Other
- Contoso Reference Implementation Update - Virtual WAN Hub default CIDR changed from `/16` to `/23` - closing issue [#440](https://github.com/Azure/Enterprise-Scale/issues/440)
- Contoso Reference Implementation Update - Virtual WAN Hub default CIDR changed from `/16` to `/23` - closing issue [#440](https://github.com/Azure/Enterprise-Scale/issues/440)

Двоичные данные
docs/wiki/media/1.1.update-alz-custom-policy-def-search.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 42 KiB

После

Ширина:  |  Высота:  |  Размер: 37 KiB

Двоичные данные
docs/wiki/media/1.2.update-alz-custom-policy-def-name.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 48 KiB

После

Ширина:  |  Высота:  |  Размер: 46 KiB

Двоичные данные
docs/wiki/media/2.2.update-alz-custom-policy-delete-assignments.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 35 KiB

После

Ширина:  |  Высота:  |  Размер: 30 KiB

Двоичные данные
docs/wiki/media/2.3.update-alz-custom-policy-search.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 42 KiB

После

Ширина:  |  Высота:  |  Размер: 37 KiB

Двоичные данные
docs/wiki/media/ALZ Policy Assignments v2.xlsx Normal file
Просмотреть файл

Двоичный файл не отображается.

1650
eslzArm/eslz-portal.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

769
eslzArm/eslzArm.json
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

57
eslzArm/eslzArm.test.param.json
Просмотреть файл

@ -47,6 +47,12 @@
"enableAscForServers": {
"value": "DeployIfNotExists"
},
"enableAscForServersVulnerabilityAssessments": {
"value": "DeployIfNotExists"
},
"vulnerabilityAssessmentProvider": {
"value": "default"
},
"enableAscForOssDb": {
"value": "DeployIfNotExists"
},
@ -71,12 +77,21 @@
"enableAscForArm": {
"value": "DeployIfNotExists"
},
"enableAscForApis": {
"value": "DeployIfNotExists"
},
"enableAscForCspm": {
"value": "DeployIfNotExists"
},
"enableAscForDns": {
"value": "DeployIfNotExists"
},
"enableAscForContainers": {
"value": "DeployIfNotExists"
},
"enableMDEndpoints": {
"value": "DeployIfNotExists"
},
"enableSecuritySolution": {
"value": "Yes"
},
@ -161,7 +176,7 @@
"subnetMaskForAzFw": {
"value": ""
},
"denyRdpForIdentity": {
"denyMgmtPortsForIdentity": {
"value": "Yes"
},
"denySubnetWithoutNsgForIdentity": {
@ -170,6 +185,9 @@
"denyPipForIdentity": {
"value": "Yes"
},
"denyPipOnNicForCorp": {
"value": "Yes"
},
"enableVmBackupForIdentity": {
"value": "Yes"
},
@ -206,19 +224,10 @@
"denyHttpIngressForAks": {
"value": "Yes"
},
"denyDatabricksPip": {
"value": "Yes"
},
"denyDatabricksVnet": {
"value": "Yes"
},
"denyDatabricksSku": {
"value": "Yes"
},
"enableVmBackup": {
"value": "Yes"
},
"denyRdp": {
"denyMgmtPorts": {
"value": "Yes"
},
"denySubnetWithoutNsg": {
@ -227,17 +236,41 @@
"denyIpForwarding": {
"value": "Yes"
},
"denyClassicResources": {
"value": "Yes"
},
"denyVMUnmanagedDisk": {
"value": "Yes"
},
"enableSqlEncryption": {
"value": "Yes"
},
"enableSqlAudit": {
"value": "Yes"
},
"enableDecommissioned": {
"value": "Yes"
},
"enableSandbox": {
"value": "Yes"
},
"enableStorageHttps": {
"value": "Yes"
},
"enforceKvGuardrails": {
"value": "Yes"
},
"denyHybridNetworking": {
"value": "Yes"
},
"auditPeDnsZones": {
"value": "Yes"
},
"enforceAcsb": {
"value": "Yes"
},
"delayCount": {
"value": 30
"value": 35
}
}
}

25
eslzArm/fairfaxeslz-portal.json
Просмотреть файл

@ -111,6 +111,30 @@
}
]
},
{
"name": "denyClassicResources",
"type": "Microsoft.Common.OptionsGroup",
"label": "Prevent the deployment of classic resources",
"defaultValue": "Yes (recommended)",
"visible": true,
"toolTip": "If 'Yes' is selected then Azure Policy will prevent deployment of classic resources.",
"constraints": {
"allowedValues": [
{
"label": "Yes (recommended)",
"value": "Yes"
},
{
"label": "Audit only",
"value": "Audit"
},
{
"label": "No",
"value": "No"
}
]
}
},
{
"name": "esGoalState",
"label": "Platform management, security, and governance",
@ -2381,6 +2405,7 @@
"erAzSku": "[steps('esConnectivityGoalState').esErAzSku]",
"erRegionalSku": "[if(empty(steps('esConnectivityGoalState').esErRegionalSku), steps('esConnectivityGoalState').esErNoAzSku, steps('esConnectivityGoalState').esErRegionalSku)]",
"singlePlatformSubscriptionId": "[steps('lzSettings').esSingleSubSection.esSingleSub.subscriptionId]",
"denyClassicResources": "[steps('lzSettings').denyClassicResources]",
"expressRouteScaleUnit": "[steps('esConnectivityGoalState').esVwanErScaleUnits]",
"vpnGateWayScaleUnit": "[steps('esConnectivityGoalState').esVwanGwScaleUnits]",
"enablePrivateDnsZones": "[steps('esConnectivityGoalState').esPrivateDns]",

27
eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksPipPolicyAssignment.json → eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json
Просмотреть файл

@ -2,11 +2,14 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"policyEffect": {
"type": "string",
"metadata": {
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
"allowedValues": [
"Deny",
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"enforcementMode": {
"type": "string",
@ -19,27 +22,27 @@
},
"variables": {
"policyDefinitions": {
"denyDatabricksPip": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp')]"
},
"auditWAF": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66"
},
"policyAssignmentNames": {
"denyDatabricksPip": "Deny-DataB-Pip",
"description": "Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.",
"displayName": "Prevent usage of Databricks with public IP"
"auditWAF": "Audit-AppGW-WAF",
"description": "Assign the WAF should be enabled for Application Gateway audit policy.",
"displayName": "Web Application Firewall (WAF) should be enabled for Application Gateway"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').denyDatabricksPip]",
"name": "[variables('policyAssignmentNames').auditWAF]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyDatabricksPip]",
"policyDefinitionId": "[variables('policyDefinitions').auditWAF]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"effect": {
"value": "Deny"
"value": "[parameters('policyEffect')]"
}
}
}

133
eslzArm/managementGroupTemplates/policyAssignments/AUDIT-PeDnsZonesPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,133 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
},
"policyEffect": {
"type": "string",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
},
"privateLinkDnsZones": {
"type": "Array",
"metadata": {
"displayName": "Private Link Private DNS Zones",
"description": "An array of Private Link Private DNS Zones to check for the existence of in the assigned scope."
},
"defaultValue": [
"privatelink.adf.azure.com",
"privatelink.afs.azure.net",
"privatelink.agentsvc.azure-automation.net",
"privatelink.analysis.windows.net",
"privatelink.api.azureml.ms",
"privatelink.azconfig.io",
"privatelink.azure-api.net",
"privatelink.azure-automation.net",
"privatelink.azurecr.io",
"privatelink.azure-devices.net",
"privatelink.azure-devices-provisioning.net",
"privatelink.azurehdinsight.net",
"privatelink.azurehealthcareapis.com",
"privatelink.azurestaticapps.net",
"privatelink.azuresynapse.net",
"privatelink.azurewebsites.net",
"privatelink.batch.azure.com",
"privatelink.blob.core.windows.net",
"privatelink.cassandra.cosmos.azure.com",
"privatelink.cognitiveservices.azure.com",
"privatelink.database.windows.net",
"privatelink.datafactory.azure.net",
"privatelink.dev.azuresynapse.net",
"privatelink.dfs.core.windows.net",
"privatelink.dicom.azurehealthcareapis.com",
"privatelink.digitaltwins.azure.net",
"privatelink.directline.botframework.com",
"privatelink.documents.azure.com",
"privatelink.eventgrid.azure.net",
"privatelink.file.core.windows.net",
"privatelink.gremlin.cosmos.azure.com",
"privatelink.guestconfiguration.azure.com",
"privatelink.his.arc.azure.com",
"privatelink.kubernetesconfiguration.azure.com",
"privatelink.managedhsm.azure.net",
"privatelink.mariadb.database.azure.com",
"privatelink.media.azure.net",
"privatelink.mongo.cosmos.azure.com",
"privatelink.monitor.azure.com",
"privatelink.mysql.database.azure.com",
"privatelink.notebooks.azure.net",
"privatelink.ods.opinsights.azure.com",
"privatelink.oms.opinsights.azure.com",
"privatelink.pbidedicated.windows.net",
"privatelink.postgres.database.azure.com",
"privatelink.prod.migration.windowsazure.com",
"privatelink.purview.azure.com",
"privatelink.purviewstudio.azure.com",
"privatelink.queue.core.windows.net",
"privatelink.redis.cache.windows.net",
"privatelink.redisenterprise.cache.azure.net",
"privatelink.search.windows.net",
"privatelink.service.signalr.net",
"privatelink.servicebus.windows.net",
"privatelink.siterecovery.windowsazure.com",
"privatelink.sql.azuresynapse.net",
"privatelink.table.core.windows.net",
"privatelink.table.cosmos.azure.com",
"privatelink.tip1.powerquery.microsoft.com",
"privatelink.token.botframework.com",
"privatelink.vaultcore.azure.net",
"privatelink.web.core.windows.net",
"privatelink.webpubsub.azure.com"
]
}
},
"variables": {
"policyDefinitions": {
"auditPeDnsZones": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones')]"
},
"policyAssignmentNames": {
"auditPeDnsZones": "Audit-PeDnsZones",
"description": "Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone.",
"displayName": "Audit Private Link Private DNS Zone resources"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').auditPeDnsZones]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').auditPeDnsZones]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"privateLinkDnsZones": {
"value": "[parameters('privateLinkDnsZones')]"
},
"effect": {
"value": "[parameters('policyEffect')]"
}
}
}
}
],
"outputs": {}
}

80
eslzArm/managementGroupTemplates/policyAssignments/AUDIT-UnusedResourcesPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,80 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
},
"effectDisks": {
"type": "string",
"allowedValues": [
"Disabled",
"Audit"
],
"defaultValue": "Audit"
},
"effectPublicIpAddresses": {
"type": "string",
"allowedValues": [
"Disabled",
"Audit"
],
"defaultValue": "Audit"
},
"effectServerFarms": {
"type": "string",
"allowedValues": [
"Disabled",
"Audit"
],
"defaultValue": "Audit"
}
},
"variables": {
"policyDefinitions": {
"auditCostOptimization": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization')]"
},
"policyAssignmentNames": {
"costOptimization": "Audit-UnusedResources",
"description": "This Policy initiative is a group of Policy definitions that help optimize cost by detecting unused but chargeable resources. Leverage this Policy initiative as a cost control to reveal orphaned resources that are driving cost.",
"displayName": "Unused resources driving cost should be avoided"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').costOptimization]",
"location": "[deployment().location]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').auditCostOptimization]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"EffectDisks": {
"value": "[parameters('effectDisks')]"
},
"EffectPublicIpAddresses": {
"value": "[parameters('effectPublicIpAddresses')]"
},
"EffectServerFarms": {
"value": "[parameters('effectServerFarms')]"
}
}
}
}
],
"outputs": {}
}

112
eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,112 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyEffect": {
"type": "string",
"allowedValues": [
"Deny",
"Audit"
],
"defaultValue": "Deny"
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
}
},
"variables": {
"policyDefinitions": {
"denyClassicResources": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
},
"policyAssignmentNames": {
"denyClassicResources": "Deny-Classic-Resources",
"description": "Denies deployment of classic resource types under the assigned scope.",
"displayName": "Deny the deployment of classic resources"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').denyClassicResources]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyClassicResources]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"listOfResourceTypesNotAllowed": {
"value": [
"Microsoft.ClassicCompute/capabilities",
"Microsoft.ClassicCompute/checkDomainNameAvailability",
"Microsoft.ClassicCompute/domainNames",
"Microsoft.ClassicCompute/domainNames/capabilities",
"Microsoft.ClassicCompute/domainNames/internalLoadBalancers",
"Microsoft.ClassicCompute/domainNames/serviceCertificates",
"Microsoft.ClassicCompute/domainNames/slots",
"Microsoft.ClassicCompute/domainNames/slots/roles",
"Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions",
"Microsoft.ClassicCompute/domainNames/slots/roles/metrics",
"Microsoft.ClassicCompute/moveSubscriptionResources",
"Microsoft.ClassicCompute/operatingSystemFamilies",
"Microsoft.ClassicCompute/operatingSystems",
"Microsoft.ClassicCompute/operations",
"Microsoft.ClassicCompute/operationStatuses",
"Microsoft.ClassicCompute/quotas",
"Microsoft.ClassicCompute/resourceTypes",
"Microsoft.ClassicCompute/validateSubscriptionMoveAvailability",
"Microsoft.ClassicCompute/virtualMachines",
"Microsoft.ClassicCompute/virtualMachines/diagnosticSettings",
"Microsoft.ClassicCompute/virtualMachines/metricDefinitions",
"Microsoft.ClassicCompute/virtualMachines/metrics",
"Microsoft.ClassicInfrastructureMigrate/classicInfrastructureResources",
"Microsoft.ClassicNetwork/capabilities",
"Microsoft.ClassicNetwork/expressRouteCrossConnections",
"Microsoft.ClassicNetwork/expressRouteCrossConnections/peerings",
"Microsoft.ClassicNetwork/gatewaySupportedDevices",
"Microsoft.ClassicNetwork/networkSecurityGroups",
"Microsoft.ClassicNetwork/operations",
"Microsoft.ClassicNetwork/quotas",
"Microsoft.ClassicNetwork/reservedIps",
"Microsoft.ClassicNetwork/virtualNetworks",
"Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies",
"Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings",
"Microsoft.ClassicStorage/capabilities",
"Microsoft.ClassicStorage/checkStorageAccountAvailability",
"Microsoft.ClassicStorage/disks",
"Microsoft.ClassicStorage/images",
"Microsoft.ClassicStorage/operations",
"Microsoft.ClassicStorage/osImages",
"Microsoft.ClassicStorage/osPlatformImages",
"Microsoft.ClassicStorage/publicImages",
"Microsoft.ClassicStorage/quotas",
"Microsoft.ClassicStorage/storageAccounts",
"Microsoft.ClassicStorage/storageAccounts/blobServices",
"Microsoft.ClassicStorage/storageAccounts/fileServices",
"Microsoft.ClassicStorage/storageAccounts/metricDefinitions",
"Microsoft.ClassicStorage/storageAccounts/metrics",
"Microsoft.ClassicStorage/storageAccounts/queueServices",
"Microsoft.ClassicStorage/storageAccounts/services",
"Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings",
"Microsoft.ClassicStorage/storageAccounts/services/metricDefinitions",
"Microsoft.ClassicStorage/storageAccounts/services/metrics",
"Microsoft.ClassicStorage/storageAccounts/tableServices",
"Microsoft.ClassicStorage/storageAccounts/vmImages",
"Microsoft.ClassicStorage/vmImages",
"Microsoft.ClassicSubscription/operations"
]
},
"effect": {
"value": "[parameters('policyEffect')]"
}
}
}
}
],
"outputs": {}
}

63
eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,63 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"policyEffect": {
"type": "string",
"allowedValues": [
"Deny",
"Audit"
],
"defaultValue": "Deny"
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
}
},
"variables": {
"policyDefinitions": {
"denyHybridNetworking": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
},
"policyAssignmentNames": {
"denyHybridNetworking": "Deny-HybridNetworking",
"description": "Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone.",
"displayName": "Deny the deployment of vWAN/ER/VPN gateway resources"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').denyHybridNetworking]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyHybridNetworking]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"listOfResourceTypesNotAllowed": {
"value": [
"microsoft.network/expressroutecircuits",
"microsoft.network/expressroutegateways",
"microsoft.network/expressrouteports",
"microsoft.network/virtualwans",
"microsoft.network/vpngateways",
"microsoft.network/p2svpngateways",
"microsoft.network/vpnsites",
"microsoft.network/virtualnetworkgateways"
]
},
"effect": {
"value": "[parameters('policyEffect')]"
}
}
}
}
],
"outputs": {}
}

12
eslzArm/managementGroupTemplates/policyAssignments/DENY-RDPFromInternetPolicyAssignment.json → eslzArm/managementGroupTemplates/policyAssignments/DENY-MgmtPortsFromInternetPolicyAssignment.json
Просмотреть файл

@ -19,23 +19,23 @@
},
"variables": {
"policyDefinitions": {
"denyRdp": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet')]"
"denyMgmt": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet')]"
},
"policyAssignmentNames": {
"denyRdp": "Deny-RDP-from-internet",
"description": "This policy denies any network security rule that allows RDP access from Internet",
"displayName": "RDP access from the Internet should be blocked"
"denyMgmt": "Deny-MgmtPorts-Internet",
"description": "This policy denies any network security rule that allows management port access from the Internet",
"displayName": "Management port access from the Internet should be blocked"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').denyRdp]",
"name": "[variables('policyAssignmentNames').denyMgmt]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyRdp]",
"policyDefinitionId": "[variables('policyDefinitions').denyMgmt]",
"enforcementMode": "[parameters('enforcementMode')]"
}
}

38
eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,38 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
}
},
"variables": {
"policyDefinitions": {
"denyPipOnNic": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114"
},
"policyAssignmentNames": {
"denyPipOnNIC": "Deny-Public-IP-On-NIC",
"description": "This policy denies network interfaces from having a public IP associated to it under the assigned scope.",
"displayName": "Deny network interfaces having a public IP associated"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').denyPipOnNic]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyPipOnNic]",
"enforcementMode": "[parameters('enforcementMode')]"
}
}
],
"outputs": {}
}

44
eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,44 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
}
},
"variables": {
"policyDefinitions": {
"denyVMUnmanagedDisk": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
},
"policyAssignmentNames": {
"denyVMUnmanagedDisk": "Deny-UnmanagedDisk",
"description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields.",
"displayName": "Deny virtual machines and virtual machine scale sets that do not use managed disk"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2022-06-01",
"name": "[variables('policyAssignmentNames').denyVMUnmanagedDisk]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyVMUnmanagedDisk]",
"enforcementMode": "[parameters('enforcementMode')]",
"overrides":[
{
"kind": "policyEffect",
"value": "Deny"
}
]
}
}
],
"outputs": {}
}

66
eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,66 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
}
},
"variables": {
"policyDefinitions": {
"DineAtpOssDb": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e"
},
"policyAssignmentNames": {
"DineAtpOssDb": "Deploy-MDFC-OssDb",
"description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.",
"displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases"
},
"rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"roleAssignmentNames": {
"deployAtpOssRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').DineAtpOssDb))]"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').DineAtpOssDb]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').DineAtpOssDb]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[variables('roleAssignmentNames').deployAtpOssRoles]",
"dependsOn": [
"[variables('policyAssignmentNames').DineAtpOssDb]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').DineAtpOssDb), '2019-09-01', 'Full' ).identity.principalId)]"
}
}
],
"outputs": {}
}

66
eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,66 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
}
},
"variables": {
"policyDefinitions": {
"DineAtpSqlDb": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97"
},
"policyAssignmentNames": {
"DineAtpSqlDb": "Deploy-MDFC-SqlAtp",
"description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.",
"displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances"
},
"rbacSqlSecurityManager": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"roleAssignmentNames": {
"deployAtpSqlRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').DineAtpSqlDb))]"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').DineAtpSqlDb]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').DineAtpSqlDb]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[variables('roleAssignmentNames').deployAtpSqlRoles]",
"dependsOn": [
"[variables('policyAssignmentNames').DineAtpSqlDb]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacSqlSecurityManager'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').DineAtpSqlDb), '2019-09-01', 'Full' ).identity.principalId)]"
}
}
],
"outputs": {}
}

89
eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
},
"enableMDEndpoints": {
"type": "string",
"allowedValues": [
"Disabled",
"DeployIfNotExists",
"AuditIfNotExists"
],
"defaultValue": "DeployIfNotExists"
}
},
"variables": {
"policyDefinitions": {
"deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc"
},
"policyAssignmentNames": {
"azureSecurityMDE": "Deploy-MDEndpoints",
"description": "Deploy Microsoft Defender for Endpoint agent on applicable images.",
"displayName": "[Preview]: Deploy Microsoft Defender for Endpoint agent"
},
"rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"roleAssignmentNames": {
"deployMDEndpoints": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureSecurityMDE))]"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').azureSecurityMDE]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').deployMDEndpoints]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"microsoftDefenderForEndpointWindowsVmAgentDeployEffect": {
"value": "[parameters('enableMDEndpoints')]"
},
"microsoftDefenderForEndpointLinuxVmAgentDeployEffect": {
"value": "[parameters('enableMDEndpoints')]"
},
"microsoftDefenderForEndpointWindowsArcAgentDeployEffect": {
"value": "[parameters('enableMDEndpoints')]"
},
"microsoftDefenderForEndpointLinuxArcAgentDeployEffect": {
"value": "[parameters('enableMDEndpoints')]"
}
}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[variables('roleAssignmentNames').deployMDEndpoints]",
"dependsOn": [
"[variables('policyAssignmentNames').azureSecurityMDE]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurityMDE), '2019-09-01', 'Full' ).identity.principalId)]"
}
}
],
"outputs": {}
}

44
eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCConfigPolicyAssignment.json
Просмотреть файл

@ -36,6 +36,22 @@
],
"defaultValue": "Disabled"
},
"enableAscForServersVulnerabilityAssessments": {
"type": "string",
"allowedValues": [
"Disabled",
"DeployIfNotExists"
],
"defaultValue": "Disabled"
},
"vulnerabilityAssessmentProvider": {
"type": "string",
"allowedValues": [
"default",
"mdeTvm"
],
"defaultValue": "default"
},
"enableAscForSql": {
"type": "string",
"allowedValues": [
@ -115,6 +131,22 @@
"DeployIfNotExists"
],
"defaultValue": "Disabled"
},
"enableAscForApis": {
"type": "string",
"allowedValues": [
"Disabled",
"DeployIfNotExists"
],
"defaultValue": "Disabled"
},
"enableAscForCspm": {
"type": "string",
"allowedValues": [
"Disabled",
"DeployIfNotExists"
],
"defaultValue": "Disabled"
}
},
"variables": {
@ -161,6 +193,12 @@
"enableAscForServers": {
"value": "[parameters('enableAscForServers')]"
},
"enableAscForServersVulnerabilityAssessments": {
"value": "[parameters('enableAscForServersVulnerabilityAssessments')]"
},
"vulnerabilityAssessmentProvider": {
"value": "[parameters('vulnerabilityAssessmentProvider')]"
},
"enableAscForSql": {
"value": "[parameters('enableAscForSql')]"
},
@ -190,6 +228,12 @@
},
"enableAscForCosmosDbs": {
"value": "[parameters('enableAscForCosmosDbs')]"
},
"enableAscForApis": {
"value": "[parameters('enableAscForApis')]"
},
"enableAscForCspm": {
"value": "[parameters('enableAscForCspm')]"
}
}
}

55
eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json
Просмотреть файл

@ -8,6 +8,12 @@
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
},
"logAnalyticsResourceId": {
"type": "string",
"metadata": {
"description": "Provide the resourceId for the central Log Analytics workspace."
}
},
"enforcementMode": {
"type": "string",
"allowedValues": [
@ -19,17 +25,17 @@
},
"variables": {
"policyDefinitions": {
"deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"
"deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb"
},
"policyAssignmentNames": {
"deploySqlAuditing": "Deploy-SQL-DB-Auditing",
"description": "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log.",
"displayName": "Auditing on SQL server should be enabled"
"deploySqlAuditing": "Deploy-AzSqlDb-Auditing",
"description": "To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace.",
"displayName": "Configure SQL servers to have auditing enabled to Log Analytics workspace"
},
"rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"roleAssignmentNames": {
"deploySqlAuditing": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlAuditing))]"
}
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"rbacSqlSecurityManager": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlAuditing,'-1'))]",
"roleAssignmentNameSqlSecurityManager": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlAuditing,'-2'))]"
},
"resources": [
{
@ -44,22 +50,45 @@
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').deploySqlAuditing]",
"enforcementMode": "[parameters('enforcementMode')]"
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"logAnalyticsWorkspaceId": {
"value": "[parameters('logAnalyticsResourceId')]"
}
}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[variables('roleAssignmentNames').deploySqlAuditing]",
"name": "[variables('roleAssignmentNameLogAnalyticsContributor')]",
"dependsOn": [
"[variables('policyAssignmentNames').deploySqlAuditing]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacLogAnalyticsContributor'))]",
"principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlAuditing), '2019-09-01', 'Full' ).identity.principalId]"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[variables('roleAssignmentNameSqlSecurityManager')]",
"dependsOn": [
"[variables('policyAssignmentNames').deploySqlAuditing]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacSqlSecurityManager'))]",
"principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlAuditing), '2019-09-01', 'Full' ).identity.principalId]"
}
}
],
"outputs": {}
}
"outputs": {
"principalId": {
"type": "string",
"value": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlAuditing), '2019-09-01', 'Full').identity.principalId]"
}
}
}

87
eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-ALZ-DecommissionedPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,87 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
},
"listOfResourceTypesAllowed": {
"type": "Array",
"defaultValue": [
"microsoft.consumption/tags",
"microsoft.authorization/roleassignments",
"microsoft.authorization/roledefinitions",
"microsoft.authorization/policyassignments",
"microsoft.authorization/locks",
"microsoft.authorization/policydefinitions",
"microsoft.authorization/policysetdefinitions",
"microsoft.resources/tags",
"microsoft.authorization/roleeligibilityschedules",
"microsoft.authorization/roleeligibilityscheduleinstances",
"microsoft.authorization/roleassignmentschedules",
"microsoft.authorization/roleassignmentscheduleinstances"
]
}
},
"variables": {
"policyDefinitions": {
"enforceAlzDecommissioned": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm')]"
},
"policyAssignmentNames": {
"alzDecommission": "Enforce-ALZ-Decomm",
"description": "This initiative will help enforce and govern subscriptions that are placed within the decommissioned Management Group as part of your Subscription decommissioning process. See https://aka.ms/alz/policies for more information.",
"displayName": "Enforce ALZ Decommissioned Guardrails"
},
"rbacVMContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"roleAssignmentNames": {
"deployDecommRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').alzDecommission))]"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').alzDecommission]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').enforceAlzDecommissioned]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"listOfResourceTypesAllowed": {
"value": "[parameters('listOfResourceTypesAllowed')]"
}
}
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[variables('roleAssignmentNames').deployDecommRoles]",
"dependsOn": [
"[variables('policyAssignmentNames').alzDecommission]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacVMContributor'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').alzDecommission), '2019-09-01', 'Full' ).identity.principalId)]"
}
}
],
"outputs": {}
}

30
eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksSkuPolicyAssignment.json → eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-ALZ-SandboxPolicyAssignment.json
Просмотреть файл

@ -15,31 +15,43 @@
"DoNotEnforce"
],
"defaultValue": "Default"
},
"listOfResourceTypesNotAllowed": {
"type": "Array",
"defaultValue": [
"microsoft.network/expressroutecircuits",
"microsoft.network/expressroutegateways",
"microsoft.network/virtualwans",
"microsoft.network/virtualhubs",
"microsoft.network/vpngateways",
"microsoft.network/vpnsites"
]
}
},
"variables": {
"policyDefinitions": {
"denyDatabricksSku": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku')]"
},
"enforceAlzSandbox": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox')]"
},
"policyAssignmentNames": {
"denyDatabricksSku": "Deny-DataB-Sku",
"description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.",
"displayName": "Enforces the use of Premium Databricks workspaces"
"alzSandbox": "Enforce-ALZ-Sandbox",
"description": "This initiative will help enforce and govern subscriptions that are placed within the Sandobx Management Group. See https://aka.ms/alz/policies for more information.",
"displayName": "Enforce ALZ Sandbox Guardrails"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').denyDatabricksSku]",
"name": "[variables('policyAssignmentNames').alzSandbox]",
"location": "[deployment().location]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyDatabricksSku]",
"policyDefinitionId": "[variables('policyDefinitions').enforceAlzSandbox]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"effect": {
"value": "Deny"
"listOfResourceTypesNotAllowed": {
"value": "[parameters('listOfResourceTypesNotAllowed')]"
}
}
}

65
eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-AcsbPolicyAssignment.json Normal file
Просмотреть файл

@ -0,0 +1,65 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
"type": "string",
"metadata": {
"description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
}
},
"enforcementMode": {
"type": "string",
"allowedValues": [
"Default",
"DoNotEnforce"
],
"defaultValue": "Default"
}
},
"variables": {
"policyDefinitions": {
"enforceAcsb": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB')]"
},
"policyAssignmentNames": {
"enforceAcsb": "Enforce-ACSB",
"description": "This initiative assignment enables Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines.",
"displayName": "Enforce Azure Compute Security Baseline compliance auditing"
},
"rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"roleAssignmentNames": {
"deployRoles": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').enforceAcsb))]"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').enforceAcsb]",
"location": "[deployment().location]",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').enforceAcsb]",
"enforcementMode": "[parameters('enforcementMode')]"
}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2019-04-01-preview",
"name": "[variables('roleAssignmentNames').deployRoles]",
"dependsOn": [
"[variables('policyAssignmentNames').enforceAcsb]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').enforceAcsb), '2019-09-01', 'Full' ).identity.principalId)]"
}
}
],
"outputs": {}
}

23
eslzArm/managementGroupTemplates/policyAssignments/DENY-DatabricksVnetPolicyAssignment.json → eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-GuardrailsKeyVaultPolicyAssignment.json
Просмотреть файл

@ -1,5 +1,5 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"topLevelManagementGroupPrefix": {
@ -19,29 +19,24 @@
},
"variables": {
"policyDefinitions": {
"denyDatabricksVnet": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork')]"
},
"enforceGuardrailsKeyVault": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault')]"
},
"policyAssignmentNames": {
"denyDatabricksVnet": "Deny-DataB-Vnet",
"description": "Enforces the use of vnet injection for Databricks workspaces.",
"displayName": "Enforces the use of vnet injection for Databricks"
"enforceGuardrailsKeyVault": "Enforce-GR-KeyVault",
"description": "This initiative assignment enables recommended ALZ guardrails for Azure Key Vault.",
"displayName": "Enforce recommendded guardrails for Azure Key Vault"
}
},
"resources": [
{
"type": "Microsoft.Authorization/policyAssignments",
"apiVersion": "2019-09-01",
"name": "[variables('policyAssignmentNames').denyDatabricksVnet]",
"name": "[variables('policyAssignmentNames').enforceGuardrailsKeyVault]",
"properties": {
"description": "[variables('policyAssignmentNames').description]",
"displayName": "[variables('policyAssignmentNames').displayName]",
"policyDefinitionId": "[variables('policyDefinitions').denyDatabricksVnet]",
"enforcementMode": "[parameters('enforcementMode')]",
"parameters": {
"effect": {
"value": "Deny"
}
}
"policyDefinitionId": "[variables('policyDefinitions').enforceGuardrailsKeyVault]",
"enforcementMode": "[parameters('enforcementMode')]"
}
}
],

342
eslzArm/managementGroupTemplates/policyDefinitions/policies.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

69
src/resources/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization.json Normal file
Просмотреть файл

@ -0,0 +1,69 @@
{
"name": "Audit-Disks-UnusedResourcesCostOptimization",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Unused Disks driving cost should be avoided",
"mode": "All",
"description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Disks that are driving cost.",
"metadata": {
"version": "1.0.0",
"category": "Cost Optimization",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/disks"
},
{
"field": "Microsoft.Compute/disks/diskState",
"equals": "Unattached"
},
{
"allof": [
{
"field": "name",
"notlike": "*-ASRReplica"
},
{
"field": "name",
"notlike": "ms-asr-*"
},
{
"field": "name",
"notlike": "asrseeddisk-*"
}
]
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
}
}

126
src/resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkPrivateDnsZones.json Normal file
Просмотреть файл

@ -0,0 +1,126 @@
{
"name": "Audit-PrivateLinkDnsZones",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"mode": "Indexed",
"displayName": "Audit the creation of Private Link Private DNS Zones",
"description": "This policy audits the creation of a Private Link Private DNS Zones in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription",
"metadata": {
"version": "1.0.0",
"category": "Network",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"effect": {
"type": "String",
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"privateLinkDnsZones": {
"type": "Array",
"metadata": {
"displayName": "Private Link Private DNS Zones",
"description": "An array of Private Link Private DNS Zones to check for the existence of in the assigned scope."
},
"defaultValue": [
"privatelink.adf.azure.com",
"privatelink.afs.azure.net",
"privatelink.agentsvc.azure-automation.net",
"privatelink.analysis.windows.net",
"privatelink.api.azureml.ms",
"privatelink.azconfig.io",
"privatelink.azure-api.net",
"privatelink.azure-automation.net",
"privatelink.azurecr.io",
"privatelink.azure-devices.net",
"privatelink.azure-devices-provisioning.net",
"privatelink.azurehdinsight.net",
"privatelink.azurehealthcareapis.com",
"privatelink.azurestaticapps.net",
"privatelink.azuresynapse.net",
"privatelink.azurewebsites.net",
"privatelink.batch.azure.com",
"privatelink.blob.core.windows.net",
"privatelink.cassandra.cosmos.azure.com",
"privatelink.cognitiveservices.azure.com",
"privatelink.database.windows.net",
"privatelink.datafactory.azure.net",
"privatelink.dev.azuresynapse.net",
"privatelink.dfs.core.windows.net",
"privatelink.dicom.azurehealthcareapis.com",
"privatelink.digitaltwins.azure.net",
"privatelink.directline.botframework.com",
"privatelink.documents.azure.com",
"privatelink.eventgrid.azure.net",
"privatelink.file.core.windows.net",
"privatelink.gremlin.cosmos.azure.com",
"privatelink.guestconfiguration.azure.com",
"privatelink.his.arc.azure.com",
"privatelink.kubernetesconfiguration.azure.com",
"privatelink.managedhsm.azure.net",
"privatelink.mariadb.database.azure.com",
"privatelink.media.azure.net",
"privatelink.mongo.cosmos.azure.com",
"privatelink.monitor.azure.com",
"privatelink.mysql.database.azure.com",
"privatelink.notebooks.azure.net",
"privatelink.ods.opinsights.azure.com",
"privatelink.oms.opinsights.azure.com",
"privatelink.pbidedicated.windows.net",
"privatelink.postgres.database.azure.com",
"privatelink.prod.migration.windowsazure.com",
"privatelink.purview.azure.com",
"privatelink.purviewstudio.azure.com",
"privatelink.queue.core.windows.net",
"privatelink.redis.cache.windows.net",
"privatelink.redisenterprise.cache.azure.net",
"privatelink.search.windows.net",
"privatelink.service.signalr.net",
"privatelink.servicebus.windows.net",
"privatelink.siterecovery.windowsazure.com",
"privatelink.sql.azuresynapse.net",
"privatelink.table.core.windows.net",
"privatelink.table.cosmos.azure.com",
"privatelink.tip1.powerquery.microsoft.com",
"privatelink.token.botframework.com",
"privatelink.vaultcore.azure.net",
"privatelink.web.core.windows.net",
"privatelink.webpubsub.azure.com"
]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/privateDnsZones"
},
{
"field": "name",
"in": "[[parameters('privateLinkDnsZones')]"
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
}
}

89
src/resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json Normal file
Просмотреть файл

@ -0,0 +1,89 @@
{
"name": "Audit-PublicIpAddresses-UnusedResourcesCostOptimization",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Unused Public IP addresses driving cost should be avoided",
"mode": "All",
"description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned Public IP addresses that are driving cost.",
"metadata": {
"version": "1.0.0",
"category": "Cost Optimization",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "microsoft.network/publicIpAddresses"
},
{
"field": "Microsoft.Network/publicIPAddresses/sku.name",
"notEquals": "Basic"
},
{
"anyOf": [
{
"field": "Microsoft.Network/publicIPAddresses/natGateway",
"exists": false
},
{
"value": "[[equals(length(field('Microsoft.Network/publicIPAddresses/natGateway')), 0)]",
"equals": true
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Network/publicIPAddresses/ipConfiguration",
"exists": false
},
{
"value": "[[equals(length(field('Microsoft.Network/publicIPAddresses/ipConfiguration')), 0)]",
"equals": true
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Network/publicIPAddresses/publicIPPrefix",
"exists": false
},
{
"value": "[[equals(length(field('Microsoft.Network/publicIPAddresses/publicIPPrefix')), 0)]",
"equals": true
}
]
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
}
}

57
src/resources/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization.json Normal file
Просмотреть файл

@ -0,0 +1,57 @@
{
"name": "Audit-ServerFarms-UnusedResourcesCostOptimization",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Unused App Service plans driving cost should be avoided",
"mode": "All",
"description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost.",
"metadata": {
"version": "1.0.0",
"category": "Cost Optimization",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/serverfarms"
},
{
"field": "Microsoft.Web/serverFarms/sku.tier",
"notEquals": "Free"
},
{
"field": "Microsoft.Web/serverFarms/numberOfSites",
"equals": 0
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
}
}

141
src/resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json Normal file
Просмотреть файл

@ -0,0 +1,141 @@
{
"name": "Deny-MgmtPorts-From-Internet",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"mode": "All",
"displayName": "Management port access from the Internet should be blocked",
"description": "This policy denies any network security rule that allows management port access from the Internet",
"metadata": {
"version": "1.0.0",
"category": "Network",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"ports": {
"type": "Array",
"metadata": {
"displayName": "Ports",
"description": "Ports to be blocked"
},
"defaultValue": [
"22",
"3389"
]
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
{
"allOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/access",
"equals": "Allow"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/direction",
"equals": "Inbound"
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"equals": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange",
"in": "[[parameters('ports')]"
},
{
"count": {
"value": "[[parameters('ports')]",
"where": {
"value": "[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]",
"equals": "true"
}
},
"greater": 0
},
{
"count": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"where": {
"value": "[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),parameters('ports')),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),parameters('ports'))) , 'false')]",
"equals": "true"
}
},
"greater": 0
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notEquals": "*"
}
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]",
"notIn": "[[parameters('ports')]"
}
}
]
},
{
"anyOf": [
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "*"
},
{
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix",
"equals": "Internet"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
"notEquals": "*"
}
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]",
"notEquals": "Internet"
}
}
]
}
]
}
]
},
"then": {
"effect": "[[parameters('effect')]"
}
}
}
}

6
src/resources/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet.json
Просмотреть файл

@ -6,10 +6,10 @@
"properties": {
"policyType": "Custom",
"mode": "All",
"displayName": "RDP access from the Internet should be blocked",
"description": "This policy denies any network security rule that allows RDP access from Internet",
"displayName": "[Deprecated]: RDP access from the Internet should be blocked",
"description": "This policy denies any network security rule that allows RDP access from Internet. This policy is superceded by new custom ALZ policy 'Deny-MgmtPorts-From-Internet'.",
"metadata": {
"version": "1.0.0",
"version": "1.0.0-deprecated",
"category": "Network",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [

6
src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic.json
Просмотреть файл

@ -9,7 +9,7 @@
"displayName": "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace",
"description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
"metadata": {
"version": "1.1.0",
"version": "1.2.0",
"category": "Monitoring",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
@ -157,6 +157,10 @@
{
"category": "PublishFailures",
"enabled": "[[parameters('logsEnabled')]"
},
{
"category": "DataPlaneRequests",
"enabled": "[[parameters('logsEnabled')]"
}
]
}

201
src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json Normal file
Просмотреть файл

@ -0,0 +1,201 @@
{
"name": "Deploy-Diagnostics-VWanS2SVPNGW",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"mode": "Indexed",
"displayName": "Deploy Diagnostic Settings for VWAN S2S VPN Gateway to Log Analytics workspace",
"description": "Deploys the diagnostic settings for VWAN S2S VPN Gateway to stream to a Log Analytics workspace when any VWAN S2S VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.",
"metadata": {
"version": "1.0.0",
"category": "Monitoring",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"logAnalytics": {
"type": "String",
"metadata": {
"displayName": "Log Analytics workspace",
"description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
"strongType": "omsWorkspace"
}
},
"effect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"profileName": {
"type": "String",
"defaultValue": "setbypolicy",
"metadata": {
"displayName": "Profile name",
"description": "The diagnostic settings profile name"
}
},
"metricsEnabled": {
"type": "String",
"defaultValue": "True",
"allowedValues": [
"True",
"False"
],
"metadata": {
"displayName": "Enable metrics",
"description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
}
},
"logsEnabled": {
"type": "String",
"defaultValue": "True",
"allowedValues": [
"True",
"False"
],
"metadata": {
"displayName": "Enable logs",
"description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/vpnGateways"
},
"then": {
"effect": "[[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "[[parameters('profileName')]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[[parameters('logAnalytics')]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "String"
},
"logAnalytics": {
"type": "String"
},
"location": {
"type": "String"
},
"profileName": {
"type": "String"
},
"metricsEnabled": {
"type": "String"
},
"logsEnabled": {
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/vpnGateways/providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
"location": "[[parameters('location')]",
"dependsOn": [],
"properties": {
"workspaceId": "[[parameters('logAnalytics')]",
"metrics": [
{
"category": "AllMetrics",
"enabled": "[[parameters('metricsEnabled')]",
"retentionPolicy": {
"days": 0,
"enabled": false
},
"timeGrain": null
}
],
"logs": [
{
"category": "GatewayDiagnosticLog",
"enabled": "[[parameters('logsEnabled')]"
},
{
"category": "IKEDiagnosticLog",
"enabled": "[[parameters('logsEnabled')]"
},
{
"category": "RouteDiagnosticLog",
"enabled": "[[parameters('logsEnabled')]"
},
{
"category": "TunnelDiagnosticLog",
"enabled": "[[parameters('logsEnabled')]"
}
]
}
}
],
"outputs": {}
},
"parameters": {
"logAnalytics": {
"value": "[[parameters('logAnalytics')]"
},
"location": {
"value": "[[field('location')]"
},
"resourceName": {
"value": "[[field('name')]"
},
"profileName": {
"value": "[[parameters('profileName')]"
},
"metricsEnabled": {
"value": "[[parameters('metricsEnabled')]"
},
"logsEnabled": {
"value": "[[parameters('logsEnabled')]"
}
}
}
}
}
}
}
}
}

6
src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools.json
Просмотреть файл

@ -9,7 +9,7 @@
"displayName": "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace",
"description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.",
"metadata": {
"version": "1.2.0",
"version": "1.3.0",
"category": "Monitoring",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
@ -151,6 +151,10 @@
{
"category": "SessionHostManagement",
"enabled": "[[parameters('logsEnabled')]"
},
{
"category": "ConnectionGraphicsData",
"enabled": "[[parameters('logsEnabled')]"
}
]
}

6
src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde.json
Просмотреть файл

@ -6,10 +6,10 @@
"properties": {
"policyType": "Custom",
"mode": "Indexed",
"displayName": "Deploy SQL Database Transparent Data Encryption",
"description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment",
"displayName": "[Deprecated]: Deploy SQL Database Transparent Data Encryption",
"description": "Deploy the Transparent Data Encryption when it is not enabled in the deployment. Please use this policy instead https://www.azadvertizer.net/azpolicyadvertizer/86a912f6-9a06-4e26-b447-11b16ba8659f.html",
"metadata": {
"version": "1.1.0",
"version": "1.1.0-deprecated",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [

196
src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json Normal file
Просмотреть файл

@ -0,0 +1,196 @@
{
"name": "Deploy-Vm-autoShutdown",
"type": "Microsoft.Authorization/policyDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"mode": "Indexed",
"displayName": "Deploy Virtual Machine Auto Shutdown Schedule",
"description": "Deploys an auto shutdown schedule to a virtual machine",
"metadata": {
"version": "1.0.0",
"category": "Compute",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"time": {
"type": "String",
"metadata": {
"displayName": "Scheduled Shutdown Time",
"description": "Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM"
},
"defaultValue": "0000"
},
"timeZoneId": {
"type": "string",
"defaultValue": "UTC",
"metadata": {
"displayName": "Time zone",
"description": "The time zone ID (e.g. Pacific Standard time)."
}
},
"EnableNotification": {
"type": "string",
"defaultValue": "Disabled",
"metadata": {
"displayName": "Send Notification before auto-shutdown",
"description": "If notifications are enabled for this schedule (i.e. Enabled, Disabled)."
},
"allowedValues": [
"Disabled",
"Enabled"
]
},
"NotificationEmailRecipient": {
"type": "string",
"defaultValue": "",
"metadata": {
"displayName": "Email Address",
"description": "Email address to be used for notification"
}
},
"NotificationWebhookUrl": {
"type": "string",
"defaultValue": "",
"metadata": {
"displayName": "Webhook URL",
"description": "A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen."
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.DevTestLab/schedules",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.DevTestLab/schedules/taskType",
"equals": "ComputeVmShutdownTask"
},
{
"field": "Microsoft.DevTestLab/schedules/targetResourceId",
"equals": "[[concat(resourceGroup().id,'/providers/Microsoft.Compute/virtualMachines/',field('name'))]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"vmName": {
"type": "string"
},
"location": {
"type": "string"
},
"time": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Daily Scheduled shutdown time. i.e. 2300 = 11:00 PM"
}
},
"timeZoneId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The time zone ID (e.g. Pacific Standard time)."
}
},
"EnableNotification": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "If notifications are enabled for this schedule (i.e. Enabled, Disabled)."
}
},
"NotificationEmailRecipient": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Email address to be used for notification"
}
},
"NotificationWebhookUrl": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "A notification will be posted to the specified webhook endpoint when the auto-shutdown is about to happen."
}
}
},
"variables": {},
"resources": [
{
"name": "[[concat('shutdown-computevm-',parameters('vmName'))]",
"type": "Microsoft.DevTestLab/schedules",
"location": "[[parameters('location')]",
"apiVersion": "2018-09-15",
"properties": {
"status": "Enabled",
"taskType": "ComputeVmShutdownTask",
"dailyRecurrence": {
"time": "[[parameters('time')]"
},
"timeZoneId": "[[parameters('timeZoneId')]",
"notificationSettings": {
"status": "[[parameters('EnableNotification')]",
"timeInMinutes": 30,
"webhookUrl": "[[parameters('NotificationWebhookUrl')]",
"emailRecipient": "[[parameters('NotificationEmailRecipient')]",
"notificationLocale": "en"
},
"targetResourceId": "[[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
}
}
],
"outputs": {}
},
"parameters": {
"vmName": {
"value": "[[field('name')]"
},
"location": {
"value": "[[field('location')]"
},
"time": {
"value": "[[parameters('time')]"
},
"timeZoneId": {
"value": "[[parameters('timeZoneId')]"
},
"EnableNotification": {
"value": "[[parameters('EnableNotification')]"
},
"NotificationEmailRecipient": {
"value": "[[parameters('NotificationEmailRecipient')]"
},
"NotificationWebhookUrl": {
"value": "[[parameters('NotificationWebhookUrl')]"
}
}
}
}
}
}
}
}
}

92
src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json Normal file
Просмотреть файл

@ -0,0 +1,92 @@
{
"name": "Audit-UnusedResourcesCostOptimization",
"type": "Microsoft.Authorization/policySetDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Unused resources driving cost should be avoided",
"description": "Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.",
"metadata": {
"version": "1.0.0",
"category": "Cost Optimization",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"effectDisks": {
"type": "String",
"metadata": {
"displayName": "Disks Effect",
"description": "Enable or disable the execution of the policy for Microsoft.Compute/disks"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"effectPublicIpAddresses": {
"type": "String",
"metadata": {
"displayName": "PublicIpAddresses Effect",
"description": "Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
},
"effectServerFarms": {
"type": "String",
"metadata": {
"displayName": "ServerFarms Effect",
"description": "Enable or disable the execution of the policy for Microsoft.Web/serverfarms"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "AuditDisksUnusedResourcesCostOptimization",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization",
"parameters": {
"effect": {
"value": "[[parameters('effectDisks')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "AuditPublicIpAddressesUnusedResourcesCostOptimization",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization",
"parameters": {
"effect": {
"value": "[[parameters('effectPublicIpAddresses')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "AuditServerFarmsUnusedResourcesCostOptimization",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization",
"parameters": {
"effect": {
"value": "[[parameters('effectServerFarms')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
}

23
src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json
Просмотреть файл

@ -119,6 +119,19 @@
"Disabled"
],
"defaultValue": "Deny"
},
"MariaDbPublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for Azure MariaDB",
"description": "This policy denies creation of Azure MariaDB with exposed public endpoints"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"policyDefinitions": [
@ -201,6 +214,16 @@
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "MariaDbDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB",
"parameters": {
"effect": {
"value": "[[parameters('MariaDbPublicIpDenyEffect')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null

23
src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureUSGovernment.json
Просмотреть файл

@ -119,6 +119,19 @@
"Disabled"
],
"defaultValue": "Deny"
},
"MariaDbPublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for Azure MariaDB",
"description": "This policy denies creation of Azure MariaDB with exposed public endpoints"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"policyDefinitions": [
@ -201,6 +214,16 @@
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "MariaDbDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB",
"parameters": {
"effect": {
"value": "[[parameters('MariaDbPublicIpDenyEffect')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null

235
src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json
Просмотреть файл

@ -8,7 +8,7 @@
"displayName": "Public network access should be disabled for PaaS services",
"description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints",
"metadata": {
"version": "1.0.1",
"version": "3.0.0",
"category": "Network",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
@ -145,6 +145,135 @@
"Disabled"
],
"defaultValue": "Deny"
},
"MariaDbPublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for Azure MariaDB",
"description": "This policy denies creation of Azure MariaDB with exposed public endpoints"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"MlPublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for Azure Machine Learning",
"description": "This policy denies creation of Azure Machine Learning with exposed public endpoints"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"RedisCachePublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for Azure Cache for Redis",
"description": "This policy denies creation of Azure Cache for Redis with exposed public endpoints"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"BotServicePublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for Bot Service",
"description": "This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"AutomationPublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for Automation accounts",
"description": "This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"AppConfigPublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for App Configuration",
"description": "This policy denies creation of App Configuration with exposed public endpoints"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"FunctionPublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for Function apps",
"description": "This policy denies creation of Function apps with exposed public endpoints"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"AsePublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for App Service Environment apps",
"description": "This policy denies creation of App Service Environment apps with exposed public endpoints"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"AsPublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for App Service apps",
"description": "This policy denies creation of App Service apps with exposed public endpoints"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"ApiManPublicIpDenyEffect": {
"type": "String",
"metadata": {
"displayName": "Public network access should be disabled for API Management services",
"description": "This policy denies creation of API Management services with exposed public endpoints"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyDefinitions": [
@ -160,7 +289,7 @@
},
{
"policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b",
"parameters": {
"effect": {
"value": "[[parameters('KeyVaultPublicIpDenyEffect')]"
@ -180,7 +309,7 @@
},
{
"policyDefinitionReferenceId": "StorageDenyPaasPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693",
"parameters": {
"effect": {
"value": "[[parameters('StoragePublicIpDenyEffect')]"
@ -247,6 +376,106 @@
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "MariaDbDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB",
"parameters": {
"effect": {
"value": "[[parameters('MariaDbPublicIpDenyEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "MlDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess",
"parameters": {
"effect": {
"value": "[[parameters('MlPublicIpDenyEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "RedisCacheDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663",
"parameters": {
"effect": {
"value": "[[parameters('RedisCachePublicIpDenyEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "BotServiceDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d",
"parameters": {
"effect": {
"value": "[[parameters('BotServicePublicIpDenyEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "AutomationDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6",
"parameters": {
"effect": {
"value": "[[parameters('AutomationPublicIpDenyEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "AppConfigDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187",
"parameters": {
"effect": {
"value": "[[parameters('AppConfigPublicIpDenyEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "FunctionDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127",
"parameters": {
"effect": {
"value": "[[parameters('FunctionPublicIpDenyEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "AseDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3",
"parameters": {
"effect": {
"value": "[[parameters('AsePublicIpDenyEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "AsDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba",
"parameters": {
"effect": {
"value": "[[parameters('AsPublicIpDenyEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "ApiManDenyPublicIP",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd",
"parameters": {
"effect": {
"value": "[[parameters('ApiManPublicIpDenyEffect')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null

30
src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json
Просмотреть файл

@ -775,6 +775,18 @@
"displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace",
"description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
}
},
"VWanS2SVPNGWLogAnalyticsEffect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace",
"description": "Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
}
}
},
"policyDefinitions": [
@ -1782,8 +1794,24 @@
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW",
"parameters": {
"logAnalytics": {
"value": "[[parameters('logAnalytics')]"
},
"effect": {
"value": "[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]"
},
"profileName": {
"value": "[[parameters('profileName')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
}
}

30
src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.AzureUSGovernment.json
Просмотреть файл

@ -775,6 +775,18 @@
"displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace",
"description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
}
},
"VWanS2SVPNGWLogAnalyticsEffect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace",
"description": "Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
}
}
},
"policyDefinitions": [
@ -1782,8 +1794,24 @@
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW",
"parameters": {
"logAnalytics": {
"value": "[[parameters('logAnalytics')]"
},
"effect": {
"value": "[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]"
},
"profileName": {
"value": "[[parameters('profileName')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
}
}

28
src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json
Просмотреть файл

@ -799,6 +799,18 @@
"displayName": "Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace",
"description": "Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
}
},
"VWanS2SVPNGWLogAnalyticsEffect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace",
"description": "Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
}
}
},
"policyDefinitions": [
@ -1905,6 +1917,22 @@
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW",
"parameters": {
"logAnalytics": {
"value": "[[parameters('logAnalytics')]"
},
"effect": {
"value": "[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]"
},
"profileName": {
"value": "[[parameters('profileName')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null

770
src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json
Просмотреть файл

@ -1,337 +1,441 @@
{
"name": "Deploy-MDFC-Config",
"type": "Microsoft.Authorization/policySetDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Deploy Microsoft Defender for Cloud configuration",
"description": "Deploy Microsoft Defender for Cloud configuration",
"metadata": {
"version": "3.1.1",
"category": "Security Center",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud"
]
},
"parameters": {
"emailSecurityContact": {
"type": "string",
"name": "Deploy-MDFC-Config",
"type": "Microsoft.Authorization/policySetDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Deploy Microsoft Defender for Cloud configuration",
"description": "Deploy Microsoft Defender for Cloud configuration",
"metadata": {
"displayName": "Security contacts email address",
"description": "Provide email address for Microsoft Defender for Cloud contact details"
}
},
"minimalSeverity": {
"type": "string",
"allowedValues": [
"High",
"Medium",
"Low"
"version": "5.0.0",
"category": "Security Center",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud"
]
},
"parameters": {
"emailSecurityContact": {
"type": "string",
"metadata": {
"displayName": "Security contacts email address",
"description": "Provide email address for Microsoft Defender for Cloud contact details"
}
},
"minimalSeverity": {
"type": "string",
"allowedValues": [
"High",
"Medium",
"Low"
],
"defaultValue": "High",
"metadata": {
"displayName": "Minimal severity",
"description": "Defines the minimal alert severity which will be sent as email notifications"
}
},
"logAnalytics": {
"type": "String",
"metadata": {
"displayName": "Primary Log Analytics workspace",
"description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
"strongType": "omsWorkspace"
}
},
"ascExportResourceGroupName": {
"type": "String",
"metadata": {
"displayName": "Resource Group name for the export to Log Analytics workspace configuration",
"description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured."
}
},
"ascExportResourceGroupLocation": {
"type": "String",
"metadata": {
"displayName": "Resource Group location for the export to Log Analytics workspace configuration",
"description": "The location where the resource group and the export to Log Analytics workspace configuration are created."
}
},
"enableAscForCosmosDbs": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForSql": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForSqlOnVm": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForDns": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForArm": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForOssDb": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForAppServices": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForKeyVault": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForStorage": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForContainers": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForServers": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForServersVulnerabilityAssessments": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"vulnerabilityAssessmentProvider": {
"type": "String",
"allowedValues": [
"default",
"mdeTvm"
],
"defaultValue": "default",
"metadata": {
"displayName": "Vulnerability assessment provider type",
"description": "Select the vulnerability assessment solution to provision to machines."
}
},
"enableAscForApis": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForCspm": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "defenderForOssDb",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForOssDb')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForVM",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForServers')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForServersVulnerabilityAssessments')]"
},
"vaType": {
"value": "[[parameters('vulnerabilityAssessmentProvider')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForSqlOnVm')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForAppServices",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForAppServices')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForStorageAccounts",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForStorage')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderforContainers",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForContainers')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderforKubernetes",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForContainers')]"
},
"logAnalyticsWorkspaceResourceId": {
"value": "[[parameters('logAnalytics')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "azurePolicyForKubernetes",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForContainers')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForKeyVaults",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7",
"parameters": {
"Effect": {
"value": "[[parameters('enableAscForKeyVault')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForDns",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForDns')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForArm",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForArm')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForSqlPaas",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForSql')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForCosmosDbs",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForCosmosDbs')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForApis",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForApis')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForCspm",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForCspm')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "securityEmailContact",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts",
"parameters": {
"emailSecurityContact": {
"value": "[[parameters('emailSecurityContact')]"
},
"minimalSeverity": {
"value": "[[parameters('minimalSeverity')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "ascExport",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9",
"parameters": {
"resourceGroupName": {
"value": "[[parameters('ascExportResourceGroupName')]"
},
"resourceGroupLocation": {
"value": "[[parameters('ascExportResourceGroupLocation')]"
},
"workspaceResourceId": {
"value": "[[parameters('logAnalytics')]"
}
},
"groupNames": []
}
],
"defaultValue": "High",
"metadata": {
"displayName": "Minimal severity",
"description": "Defines the minimal alert severity which will be sent as email notifications"
}
},
"logAnalytics": {
"type": "String",
"metadata": {
"displayName": "Primary Log Analytics workspace",
"description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
"strongType": "omsWorkspace"
}
},
"ascExportResourceGroupName": {
"type": "String",
"metadata": {
"displayName": "Resource Group name for the export to Log Analytics workspace configuration",
"description": "The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured."
}
},
"ascExportResourceGroupLocation": {
"type": "String",
"metadata": {
"displayName": "Resource Group location for the export to Log Analytics workspace configuration",
"description": "The location where the resource group and the export to Log Analytics workspace configuration are created."
}
},
"enableAscForCosmosDbs": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForSql": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForSqlOnVm": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForDns": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForArm": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForOssDb": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForAppServices": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForKeyVault": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForStorage": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForContainers": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"enableAscForServers": {
"type": "String",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "defenderForOssDb",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForOssDb')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForVM",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForServers')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForSqlOnVm')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForAppServices",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForAppServices')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForStorageAccounts",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForStorage')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderforContainers",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForContainers')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForKeyVaults",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7",
"parameters": {
"Effect": {
"value": "[[parameters('enableAscForKeyVault')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForDns",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForDns')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForArm",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForArm')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForSqlPaas",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForSql')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "defenderForCosmosDbs",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542",
"parameters": {
"effect": {
"value": "[[parameters('enableAscForCosmosDbs')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "securityEmailContact",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts",
"parameters": {
"emailSecurityContact": {
"value": "[[parameters('emailSecurityContact')]"
},
"minimalSeverity": {
"value": "[[parameters('minimalSeverity')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "ascExport",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9",
"parameters": {
"resourceGroupName": {
"value": "[[parameters('ascExportResourceGroupName')]"
},
"resourceGroupLocation": {
"value": "[[parameters('ascExportResourceGroupLocation')]"
},
"workspaceResourceId": {
"value": "[[parameters('logAnalytics')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
"policyDefinitionGroups": null
}
}

2
src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json
Просмотреть файл

@ -84,7 +84,7 @@
"policyDefinitions": [
{
"policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f",
"parameters": {
"effect": {
"value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]"

92
src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json Normal file
Просмотреть файл

@ -0,0 +1,92 @@
{
"name": "Enforce-ACSB",
"type": "Microsoft.Authorization/policySetDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Enforce Azure Compute Security Benchmark compliance auditing",
"description": "Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.",
"metadata": {
"version": "1.0.0",
"category": "Guest Configuration",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud"
]
},
"parameters": {
"includeArcMachines": {
"type": "String",
"allowedValues": [
"true",
"false"
],
"metadata": {
"displayName": "Include Arc connected servers",
"description": "By selecting this option, you agree to be charged monthly per Arc connected machine."
},
"defaultValue": "true"
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "GcIdentity",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
"parameters": {},
"groupNames": []
},
{
"policyDefinitionReferenceId": "GcLinux",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da",
"parameters": {},
"groupNames": []
},
{
"policyDefinitionReferenceId": "GcWindows",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6",
"parameters": {},
"groupNames": []
},
{
"policyDefinitionReferenceId": "WinAcsb",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc",
"parameters": {
"effect": {
"value": "[[parameters('effect')]"
},
"IncludeArcMachines": {
"value": "[[parameters('includeArcMachines')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "LinAcsb",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd",
"parameters": {
"effect": {
"value": "[[parameters('effect')]"
},
"IncludeArcMachines": {
"value": "[[parameters('includeArcMachines')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
}

52
src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json Normal file
Просмотреть файл

@ -0,0 +1,52 @@
{
"name": "Enforce-ALZ-Decomm",
"type": "Microsoft.Authorization/policySetDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Enforce policies in the Decommisioned Landing Zone",
"description": "Enforce policies in the Decommisioned Landing Zone.",
"metadata": {
"version": "1.0.0",
"category": "Decommissioned",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"listOfResourceTypesAllowed":{
"type": "Array",
"defaultValue": null,
"metadata": {
"displayName": "Allowed resource types in the Decommissioned landing zone",
"description": "Allowed resource types in the Decommissioned landing zone, default is none.",
"strongType": "resourceTypes"
}
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "DecomDenyResources",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c",
"parameters": {
"listOfResourceTypesAllowed": {
"value": "[[parameters('listOfResourceTypesAllowed')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "DecomShutdownMachines",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown",
"parameters": {},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
}

84
src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json Normal file
Просмотреть файл

@ -0,0 +1,84 @@
{
"name": "Enforce-ALZ-Sandbox",
"type": "Microsoft.Authorization/policySetDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Enforce policies in the Sandbox Landing Zone",
"description": "Enforce policies in the Sandbox Landing Zone.",
"metadata": {
"version": "1.0.0",
"category": "Sandbox",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"listOfResourceTypesNotAllowed": {
"type": "Array",
"defaultValue": null,
"metadata": {
"displayName": "Not allowed resource types in the Sandbox landing zone",
"description": "Not allowed resource types in the Sandbox landing zone, default is none.",
"strongType": "resourceTypes"
}
},
"effectNotAllowedResources": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"effectDenyVnetPeering": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "SandboxNotAllowed",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
"parameters": {
"effect": {
"value": "[[parameters('effectNotAllowedResources')]"
},
"listOfResourceTypesNotAllowed": {
"value": "[[parameters('listOfResourceTypesNotAllowed')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "SandboxDenyVnetPeering",
"policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub",
"parameters": {
"effect": {
"value": "[[parameters('effectDenyVnetPeering')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
}

24
src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json
Просмотреть файл

@ -8,7 +8,7 @@
"displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit",
"description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit. ",
"metadata": {
"version": "1.0.0",
"version": "2.0.0",
"category": "Encryption",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
@ -55,18 +55,6 @@
"description": "App Service. Select version minimum TLS version for a Web App config to enforce"
}
},
"APIAppServiceLatestTlsEffect": {
"metadata": {
"displayName": "App Service API App. Latest TLS version should be used in your API App",
"description": "App Service API App. Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version."
},
"type": "String",
"defaultValue": "AuditIfNotExists",
"allowedValues": [
"AuditIfNotExists",
"Disabled"
]
},
"APIAppServiceHttpsEffect": {
"metadata": {
"displayName": "App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.",
@ -398,16 +386,6 @@
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "APIAppServiceLatestTlsEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e",
"parameters": {
"effect": {
"value": "[[parameters('APIAppServiceLatestTlsEffect')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "FunctionLatestTlsEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193",

9
src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureChinaCloud.json
Просмотреть файл

@ -8,7 +8,7 @@
"displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
"description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
"metadata": {
"version": "1.0.0",
"version": "2.0.0",
"category": "Encryption",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
@ -158,9 +158,10 @@
},
"SqlServerTDECMKEffect": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"defaultValue": "Audit",
"allowedValues": [
"AuditIfNotExists",
"Audit",
"Deny",
"Disabled"
],
"metadata": {
@ -307,7 +308,7 @@
},
{
"policyDefinitionReferenceId": "SqlServerTDECMKEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8",
"parameters": {
"effect": {
"value": "[[parameters('SqlServerTDECMKEffect')]"

9
src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.AzureUSGovernment.json
Просмотреть файл

@ -8,7 +8,7 @@
"displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
"description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
"metadata": {
"version": "1.0.0",
"version": "2.0.0",
"category": "Encryption",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
@ -134,9 +134,10 @@
},
"SqlServerTDECMKEffect": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"defaultValue": "Audit",
"allowedValues": [
"AuditIfNotExists",
"Audit",
"Deny",
"Disabled"
],
"metadata": {
@ -263,7 +264,7 @@
},
{
"policyDefinitionReferenceId": "SqlServerTDECMKEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8",
"parameters": {
"effect": {
"value": "[[parameters('SqlServerTDECMKEffect')]"

9
src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json
Просмотреть файл

@ -8,7 +8,7 @@
"displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
"description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)",
"metadata": {
"version": "1.0.1",
"version": "2.0.0",
"category": "Encryption",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
@ -158,9 +158,10 @@
},
"SqlServerTDECMKEffect": {
"type": "String",
"defaultValue": "AuditIfNotExists",
"defaultValue": "Audit",
"allowedValues": [
"AuditIfNotExists",
"Audit",
"Deny",
"Disabled"
],
"metadata": {
@ -319,7 +320,7 @@
},
{
"policyDefinitionReferenceId": "SqlServerTDECMKEffect",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8",
"parameters": {
"effect": {
"value": "[[parameters('SqlServerTDECMKEffect')]"

257
src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json Normal file
Просмотреть файл

@ -0,0 +1,257 @@
{
"name": "Enforce-Guardrails-KeyVault",
"type": "Microsoft.Authorization/policySetDefinitions",
"apiVersion": "2021-06-01",
"scope": null,
"properties": {
"policyType": "Custom",
"displayName": "Enforce recommendded guardrails for Azure Key Vault",
"description": "Enforce recommendded guardrails for Azure Key Vault.",
"metadata": {
"version": "1.0.0",
"category": "Key Vault",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"effectKvSoftDelete": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"effectKvPurgeProtection": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Deny"
},
"effectKvSecretsExpire": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"effectKvKeysExpire": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"effectKvFirewallEnabled": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"effectKvCertLifetime": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"audit",
"Audit",
"deny",
"Deny",
"disabled",
"Disabled"
],
"defaultValue": "Audit"
},
"maximumCertLifePercentageLife": {
"type": "Integer",
"metadata": {
"displayName": "The maximum lifetime percentage",
"description": "Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'."
},
"defaultValue": 80
},
"minimumCertLifeDaysBeforeExpiry": {
"type": "Integer",
"metadata": {
"displayName": "The minimum days before expiry",
"description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'."
},
"defaultValue": 90
},
"effectKvKeysLifetime": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"minimumKeysLifeDaysBeforeExpiry": {
"type": "Integer",
"metadata": {
"displayName": "The minimum days before expiry",
"description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'."
},
"defaultValue": 90
},
"effectKvSecretsLifetime": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Deny",
"Disabled"
],
"defaultValue": "Audit"
},
"minimumSecretsLifeDaysBeforeExpiry": {
"type": "Integer",
"metadata": {
"displayName": "The minimum days before expiry",
"description": "Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'."
},
"defaultValue": 90
}
},
"policyDefinitions": [
{
"policyDefinitionReferenceId": "KvSoftDelete",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
"parameters": {
"effect": {
"value": "[[parameters('effectKvSoftDelete')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "KvPurgeProtection",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
"parameters": {
"effect": {
"value": "[[parameters('effectKvPurgeProtection')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "KvSecretsExpire",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
"parameters": {
"effect": {
"value": "[[parameters('effectKvSecretsExpire')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "KvKeysExpire",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
"parameters": {
"effect": {
"value": "[[parameters('effectKvKeysExpire')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "KvFirewallEnabled",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
"parameters": {
"effect": {
"value": "[[parameters('effectKvFirewallEnabled')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "KvCertLifetime",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417",
"parameters": {
"effect": {
"value": "[[parameters('effectKvCertLifetime')]"
},
"maximumPercentageLife": {
"value": "[[parameters('maximumCertLifePercentageLife')]"
},
"minimumDaysBeforeExpiry": {
"value": "[[parameters('minimumCertLifeDaysBeforeExpiry')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "KvKeysLifetime",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146",
"parameters": {
"effect": {
"value": "[[parameters('effectKvKeysLifetime')]"
},
"minimumDaysBeforeExpiration": {
"value": "[[parameters('minimumKeysLifeDaysBeforeExpiry')]"
}
},
"groupNames": []
},
{
"policyDefinitionReferenceId": "KvSecretsLifetime",
"policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a",
"parameters": {
"effect": {
"value": "[[parameters('effectKvSecretsLifetime')]"
},
"minimumDaysBeforeExpiration": {
"value": "[[parameters('minimumSecretsLifeDaysBeforeExpiry')]"
}
},
"groupNames": []
}
],
"policyDefinitionGroups": null
}
}

12
src/templates/policies.bicep
Просмотреть файл

@ -73,6 +73,9 @@ var loadPolicyDefinitions = {
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http.json')
@ -83,6 +86,7 @@ var loadPolicyDefinitions = {
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-PublicIP.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Redis-http.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS.json')
@ -159,7 +163,10 @@ var loadPolicyDefinitions = {
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-VNET-HubSpoke.json') // Only difference is hard-coded template deployment location (handled by this template)
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json')
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkPrivateDnsZones.json')
]
AzureCloud: [
loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment
@ -201,8 +208,12 @@ var loadPolicyDefinitions = {
// We use loadTextContent instead of loadJsonContent as this allows us to perform string replacement operations against the imported templates.
var loadPolicySetDefinitions = {
All: [
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json')
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json')
]
AzureCloud: [
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning
@ -210,6 +221,7 @@ var loadPolicySetDefinitions = {
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json') // Unable to validate if Guest Configuration is working in other clouds
]
AzureChinaCloud: [
loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.AzureChinaCloud.json') // Due to missing built-in Policy Definitions ()