Skip to content

Commit

Permalink
Updated ALZ assignment files in line with H224 (#721)
Browse files Browse the repository at this point in the history 
Co-authored-by: Anthony Watherston <[email protected]>
  • Loading branch information
@anwather
anwather and Anthony Watherston authored Aug 8, 2024
1 parent 9c2e93a commit 1653b73
Show file tree
Hide file tree
Showing 8 changed files with 175 additions and 259 deletions.
8 changes: 5 additions & 3 deletions Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Connectivity-Default.jsonc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,14 @@
"/providers/Microsoft.Management/managementGroups/connectivity"
]
},
"parameters": {
"ddosPlan": "" // Replace with DDOS plan Id
},
"children": [
{
"nodeName": "Networking",
"assignment": {
"name": "Enable-DDoS-VNET",
"name": "Enable-DDoS-VNET-Con",
"displayName": "Virtual networks should be protected by Azure DDoS Network Protection",
"description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs."
},
Expand All @@ -19,8 +22,7 @@
"displayName": "Enable DDOS"
},
"parameters": {
"effect": "Modify",
"ddosPlan": "null"
"effect": "Modify"
},
"nonComplianceMessages": [
{
Expand Down
15 changes: 11 additions & 4 deletions Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@
"azureAcrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurecr.io",
"azureEventHubNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
"azureMachineLearningWorkspacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.api.azureml.ms",
"azureMachineLearningWorkspaceSecondPrivateDnsZoneId" : "--DNSZonePrefix--privatelink.notebooks.azure.net",
"azureMachineLearningWorkspaceSecondPrivateDnsZoneId": "--DNSZonePrefix--privatelink.notebooks.azure.net",
"azureServiceBusNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net",
"azureCognitiveSearchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.search.windows.net",
"azureBotServicePrivateDnsZoneId": "--DNSZonePrefix--privatelink.directline.botframework.com",
Expand Down Expand Up @@ -150,7 +150,8 @@
"displayName": "Deny the deployment of vWAN/ER/VPN gateway resources"
},
"definitionEntry": {
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749"
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
"displayName": "Not allowed resource types"
},
"parameters": {
"listOfResourceTypesNotAllowed": [
Expand Down Expand Up @@ -183,8 +184,9 @@
},
"parameters": {
// Replace the ---location--- with the location of the Private Link Private DNS Zone resource
// Replace the ---short-code-location--- with the location short code of the Private Link Private DNS Zone resource e.g. "ae" for Australia East
"privateLinkDnsZones": [
"privatelink.ae.backup.windowsazure.com",
"privatelink.---short-code-location---.backup.windowsazure.com",
"privatelink.---location---.azmk8s.io",
"privatelink.---location---.batch.azure.com",
"privatelink.---location---.kusto.windows.net",
Expand All @@ -202,6 +204,7 @@
"privatelink.azuredatabricks.net",
"privatelink.azurehdinsight.net",
"privatelink.azurehealthcareapis.com",
"privatelink.azureiotcentral.com",
"privatelink.azurestaticapps.net",
"privatelink.azuresynapse.net",
"privatelink.azurewebsites.net",
Expand All @@ -217,8 +220,10 @@
"privatelink.digitaltwins.azure.net",
"privatelink.directline.botframework.com",
"privatelink.documents.azure.com",
"privatelink.dp.kubernetesconfiguration.azure.com",
"privatelink.eventgrid.azure.net",
"privatelink.file.core.windows.net",
"privatelink.grafana.azure.com",
"privatelink.gremlin.cosmos.azure.com",
"privatelink.guestconfiguration.azure.com",
"privatelink.his.arc.azure.com",
Expand Down Expand Up @@ -251,7 +256,9 @@
"privatelink.token.botframework.com",
"privatelink.vaultcore.azure.net",
"privatelink.web.core.windows.net",
"privatelink.webpubsub.azure.com"
"privatelink.webpubsub.azure.com",
"privatelink.wvd.microsoft.com",
"privatelink-global.wvd.microsoft.com"
]
},
"nonComplianceMessages": [
Expand Down
7 changes: 2 additions & 5 deletions Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Identity-Default.jsonc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
},
"definitionEntry": {
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
"displayName": "Deny Public IP"
"displayName": "Not allowed resource types"
},
"parameters": {
"listOfResourceTypesNotAllowed": [
Expand Down Expand Up @@ -83,10 +83,7 @@
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86",
"displayName": "Deploy VM Backup"
},
"parameters": {
"exclusionTagName": "",
"exclusionTagValue": []
},
"parameters": {},
"nonComplianceMessages": [
{
"message": "Backup on virtual machines without a given tag must be configured to a new recovery services vault with a default policy."
Expand Down
173 changes: 44 additions & 129 deletions Scripts/CloudAdoptionFramework/policyAssignments/ALZ-LandingZones-Default.jsonc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,12 @@
"parameters": {
// The policies deployed at this scope deploy a managed identity - which is then used in the monitoring policies - you can use the same identity for the monitoring policies deployed at the platform level.
"logAnalyticsWorkspaceId": "", // Replace with your central Log Analytics workspace ID
"userAssignedManagedIdentityName": "", // Replace with the name of the user assigned managed identity to deploy
"userAssignedIdentityName": "", // Replace with the name of the user assigned managed identity to deploy
"userAssignedIdentityResourceId": "", // Replace with the resource Id of the user assigned managed identity
"bringYourOwnUserAssignedManagedIdentity": true,
"enableProcessesAndDependencies": true,
"userAssignedManagedIdentityResourceGroup": "", //Replace with the name of the resource group where the user assigned managed identity is deployed
"identityResourceGroup": "", // Replace with the name of the resource group where the user assigned managed identity is to be deployed
"restrictBringYourOwnUserAssignedIdentityToSubscription": false,
"scopeToSupportedImages": false,
"builtInIdentityResourceGroupLocation": "australiaeast"
"ddosPlan": "" // Replace with DDOS plan Id
},
"children": [
{
Expand Down Expand Up @@ -115,7 +113,7 @@
{
"nodeName": "EnableDDOS",
"assignment": {
"name": "Enable-DDoS-VNET",
"name": "Enable-DDoS-VNET-LZ",
"displayName": "Virtual networks should be protected by Azure DDoS Network Protection",
"description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs."
},
Expand All @@ -124,8 +122,7 @@
"displayName": "Audit DDOS Landing Zones"
},
"parameters": {
"effect": "Modify",
"ddosPlan": "null"
"effect": "Modify"
},
"nonComplianceMessages": [
{
Expand Down Expand Up @@ -213,10 +210,7 @@
"policyId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86",
"displayName": "Deploy VM Backup"
},
"parameters": {
"exclusionTagName": "",
"exclusionTagValue": []
},
"parameters": {},
"nonComplianceMessages": [
{
"message": "Backup on virtual machines without a given tag must be configured to a new recovery services vault with a default policy."
Expand All @@ -231,7 +225,7 @@
{
"nodeName": "GuardRails",
"assignment": {
"name": "Enforce-GR-KeyVault",
"name": "Enforce-GR-KeyVault-LZ",
"displayName": "Enforce recommended guardrails for Azure Key Vault",
"description": "This initiative assignment enables recommended ALZ guardrails for Azure Key Vault."
},
Expand All @@ -253,13 +247,13 @@
{
"nodeName": "TLS",
"assignment": {
"name": "Enforce-TLS-SSL",
"name": "Enforce-TLS-SSL-H224",
"displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit",
"description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit."
},
"definitionEntry": {
"policySetName": "Enforce-EncryptTransit",
"displayName": "Enforce Encrypt Transit"
"policySetName": "Enforce-EncryptTransit_20240509",
"displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit"
},
"nonComplianceMessages": [
{
Expand Down Expand Up @@ -304,12 +298,12 @@
{
"nodeName": "DefenderSQL",
"assignment": {
"name": "Deploy-MDFC-DefenSQL-AMA",
"name": "Deploy-MDFC-SQL-AMA-LZ",
"displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace",
"description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace."
},
"definitionEntry": {
"policySetName": "Deploy-MDFC-DefenderSQL-AMA",
"policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26",
"displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace",
"nonComplianceMessages": [
{
Expand All @@ -319,11 +313,11 @@
]
},
"parameters": {
"dcrResourceGroup": "", // Resource group for the DCR
"dcrId": "", // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json
"dcrResourceId": "", // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json
"userWorkspaceResourceId": "", //Log analytics workspace Id
"workspaceRegion": "", // Log analytics workspace region
"dcrName": "" // DCR Name
"enableCollectionOfSqlQueriesForSecurityResearch": "false",
"bringYourOwnDcr": true // Ensure the DCR is deployed
}
},
{
Expand Down Expand Up @@ -351,7 +345,7 @@
{
"nodeName": "UpdateManager",
"assignment": {
"name": "Enable-AUM-CheckUpdates",
"name": "Enable-AUM-Updates-LZ",
"displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.",
"description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode."
},
Expand All @@ -366,116 +360,14 @@
]
},
"parameters": {
"locations": [
"asia",
"asiapacific",
"australia",
"australiacentral",
"australiacentral2",
"australiaeast",
"australiasoutheast",
"brazil",
"brazilsouth",
"brazilsoutheast",
"brazilus",
"canada",
"canadacentral",
"canadaeast",
"centralindia",
"centralus",
"centralusstage",
"eastasia",
"eastasiastage",
"eastus",
"eastusstage",
"eastus2",
"eastus2stage",
"europe",
"france",
"francecentral",
"francesouth",
"germany",
"germanynorth",
"germanywestcentral",
"global",
"india",
"israelcentral",
"italynorth",
"japan",
"japaneast",
"japanwest",
"jioindiacentral",
"jioindiawest",
"korea",
"koreacentral",
"koreasouth",
"northcentralus",
"northcentralusstage",
"northeurope",
"norway",
"norwayeast",
"norwaywest",
"polandcentral",
"qatarcentral",
"singapore",
"southafrica",
"southafricanorth",
"southafricawest",
"southcentralus",
"southcentralusstage",
"southindia",
"southeastasia",
"southeastasiastage",
"sweden",
"swedencentral",
"switzerland",
"switzerlandnorth",
"switzerlandwest",
"uaecentral",
"uaenorth",
"uksouth",
"ukwest",
"uae",
"uk",
"unitedstates",
"unitedstateseuap",
"westcentralus",
"westeurope",
"westindia",
"westus",
"westusstage",
"westus2",
"westus2stage",
"westus3"
]
"tagValues": {},
"locations": [],
"tagOperator": "Any",
"assessmentMode": "AutomaticByPlatform"
}
}
]
},
{
"nodeName": "ManagedIdentity",
"children": [
{
"nodeName": "UAMI",
"assignment": {
"name": "Deploy-UAMI-VMInsights",
"displayName": "Deploy User Assigned Managed Identity for VM Insights",
"description": "Deploy User Assigned Managed Identity for VM Insights"
},
"definitionEntry": {
"policyName": "Deploy-UserAssignedManagedIdentity-VMInsights",
"displayName": "Deploy User Assigned Managed Identity for VM Insights",
"nonComplianceMessages": [
{
"policyDefinitionReferenceId": null,
"message": "User Assigned Identity must be created for VM Insights."
}
]
},
"parameters": {}
}
]
},
{
"nodeName": "Monitoring",
"children": [
Expand Down Expand Up @@ -611,6 +503,29 @@
}
}
]
},
{
"nodeName": "Backup",
"children": [
{
"nodeName": "ASR",
"assignment": {
"name": "Enforce-ASR-LZ",
"displayName": "Enforce enhanced recovery and backup policies",
"description": "This initiative assignment enables recommended ALZ guardrails for Azure Recovery Services."
},
"definitionEntry": {
"policySetName": "Enforce-Backup",
"displayName": "Enforce enhanced recovery and backup policies",
"nonComplianceMessages": [
{
"policyDefinitionReferenceId": null,
"message": "Recommended guardrails must be enforced for Azure Recovery Services (Backup and Site Recovery)."
}
]
}
}
]
}
]
}
}
Loading

0 comments on commit 1653b73

Please sign in to comment.