diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Connectivity-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Connectivity-Default.jsonc index 66137f1f..799782cb 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Connectivity-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Connectivity-Default.jsonc @@ -6,11 +6,14 @@ "/providers/Microsoft.Management/managementGroups/connectivity" ] }, + "parameters": { + "ddosPlan": "" // Replace with DDOS plan Id + }, "children": [ { "nodeName": "Networking", "assignment": { - "name": "Enable-DDoS-VNET", + "name": "Enable-DDoS-VNET-Con", "displayName": "Virtual networks should be protected by Azure DDoS Network Protection", "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs." }, @@ -19,8 +22,7 @@ "displayName": "Enable DDOS" }, "parameters": { - "effect": "Modify", - "ddosPlan": "null" + "effect": "Modify" }, "nonComplianceMessages": [ { diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc index 954f1314..0942c9b3 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc @@ -94,7 +94,7 @@ "azureAcrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurecr.io", "azureEventHubNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net", "azureMachineLearningWorkspacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.api.azureml.ms", - "azureMachineLearningWorkspaceSecondPrivateDnsZoneId" : "--DNSZonePrefix--privatelink.notebooks.azure.net", + "azureMachineLearningWorkspaceSecondPrivateDnsZoneId": "--DNSZonePrefix--privatelink.notebooks.azure.net", "azureServiceBusNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net", "azureCognitiveSearchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.search.windows.net", "azureBotServicePrivateDnsZoneId": "--DNSZonePrefix--privatelink.directline.botframework.com", @@ -150,7 +150,8 @@ "displayName": "Deny the deployment of vWAN/ER/VPN gateway resources" }, "definitionEntry": { - "policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749" + "policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "displayName": "Not allowed resource types" }, "parameters": { "listOfResourceTypesNotAllowed": [ @@ -183,8 +184,9 @@ }, "parameters": { // Replace the ---location--- with the location of the Private Link Private DNS Zone resource + // Replace the ---short-code-location--- with the location short code of the Private Link Private DNS Zone resource e.g. "ae" for Australia East "privateLinkDnsZones": [ - "privatelink.ae.backup.windowsazure.com", + "privatelink.---short-code-location---.backup.windowsazure.com", "privatelink.---location---.azmk8s.io", "privatelink.---location---.batch.azure.com", "privatelink.---location---.kusto.windows.net", @@ -202,6 +204,7 @@ "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", + "privatelink.azureiotcentral.com", "privatelink.azurestaticapps.net", "privatelink.azuresynapse.net", "privatelink.azurewebsites.net", @@ -217,8 +220,10 @@ "privatelink.digitaltwins.azure.net", "privatelink.directline.botframework.com", "privatelink.documents.azure.com", + "privatelink.dp.kubernetesconfiguration.azure.com", "privatelink.eventgrid.azure.net", "privatelink.file.core.windows.net", + "privatelink.grafana.azure.com", "privatelink.gremlin.cosmos.azure.com", "privatelink.guestconfiguration.azure.com", "privatelink.his.arc.azure.com", @@ -251,7 +256,9 @@ "privatelink.token.botframework.com", "privatelink.vaultcore.azure.net", "privatelink.web.core.windows.net", - "privatelink.webpubsub.azure.com" + "privatelink.webpubsub.azure.com", + "privatelink.wvd.microsoft.com", + "privatelink-global.wvd.microsoft.com" ] }, "nonComplianceMessages": [ diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Identity-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Identity-Default.jsonc index 705bb9e0..cb895887 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Identity-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Identity-Default.jsonc @@ -19,7 +19,7 @@ }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", - "displayName": "Deny Public IP" + "displayName": "Not allowed resource types" }, "parameters": { "listOfResourceTypesNotAllowed": [ @@ -83,10 +83,7 @@ "policyId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", "displayName": "Deploy VM Backup" }, - "parameters": { - "exclusionTagName": "", - "exclusionTagValue": [] - }, + "parameters": {}, "nonComplianceMessages": [ { "message": "Backup on virtual machines without a given tag must be configured to a new recovery services vault with a default policy." diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-LandingZones-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-LandingZones-Default.jsonc index 5f49e0a5..4eaad300 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-LandingZones-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-LandingZones-Default.jsonc @@ -9,14 +9,12 @@ "parameters": { // The policies deployed at this scope deploy a managed identity - which is then used in the monitoring policies - you can use the same identity for the monitoring policies deployed at the platform level. "logAnalyticsWorkspaceId": "", // Replace with your central Log Analytics workspace ID - "userAssignedManagedIdentityName": "", // Replace with the name of the user assigned managed identity to deploy - "userAssignedIdentityName": "", // Replace with the name of the user assigned managed identity to deploy + "userAssignedIdentityResourceId": "", // Replace with the resource Id of the user assigned managed identity "bringYourOwnUserAssignedManagedIdentity": true, "enableProcessesAndDependencies": true, - "userAssignedManagedIdentityResourceGroup": "", //Replace with the name of the resource group where the user assigned managed identity is deployed - "identityResourceGroup": "", // Replace with the name of the resource group where the user assigned managed identity is to be deployed + "restrictBringYourOwnUserAssignedIdentityToSubscription": false, "scopeToSupportedImages": false, - "builtInIdentityResourceGroupLocation": "australiaeast" + "ddosPlan": "" // Replace with DDOS plan Id }, "children": [ { @@ -115,7 +113,7 @@ { "nodeName": "EnableDDOS", "assignment": { - "name": "Enable-DDoS-VNET", + "name": "Enable-DDoS-VNET-LZ", "displayName": "Virtual networks should be protected by Azure DDoS Network Protection", "description": "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Network Protection. For more information, visit https://aka.ms/ddosprotectiondocs." }, @@ -124,8 +122,7 @@ "displayName": "Audit DDOS Landing Zones" }, "parameters": { - "effect": "Modify", - "ddosPlan": "null" + "effect": "Modify" }, "nonComplianceMessages": [ { @@ -213,10 +210,7 @@ "policyId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", "displayName": "Deploy VM Backup" }, - "parameters": { - "exclusionTagName": "", - "exclusionTagValue": [] - }, + "parameters": {}, "nonComplianceMessages": [ { "message": "Backup on virtual machines without a given tag must be configured to a new recovery services vault with a default policy." @@ -231,7 +225,7 @@ { "nodeName": "GuardRails", "assignment": { - "name": "Enforce-GR-KeyVault", + "name": "Enforce-GR-KeyVault-LZ", "displayName": "Enforce recommended guardrails for Azure Key Vault", "description": "This initiative assignment enables recommended ALZ guardrails for Azure Key Vault." }, @@ -253,13 +247,13 @@ { "nodeName": "TLS", "assignment": { - "name": "Enforce-TLS-SSL", + "name": "Enforce-TLS-SSL-H224", "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit." }, "definitionEntry": { - "policySetName": "Enforce-EncryptTransit", - "displayName": "Enforce Encrypt Transit" + "policySetName": "Enforce-EncryptTransit_20240509", + "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit" }, "nonComplianceMessages": [ { @@ -304,12 +298,12 @@ { "nodeName": "DefenderSQL", "assignment": { - "name": "Deploy-MDFC-DefenSQL-AMA", + "name": "Deploy-MDFC-SQL-AMA-LZ", "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace." }, "definitionEntry": { - "policySetName": "Deploy-MDFC-DefenderSQL-AMA", + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26", "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", "nonComplianceMessages": [ { @@ -319,11 +313,11 @@ ] }, "parameters": { - "dcrResourceGroup": "", // Resource group for the DCR - "dcrId": "", // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json + "dcrResourceId": "", // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json "userWorkspaceResourceId": "", //Log analytics workspace Id "workspaceRegion": "", // Log analytics workspace region - "dcrName": "" // DCR Name + "enableCollectionOfSqlQueriesForSecurityResearch": "false", + "bringYourOwnDcr": true // Ensure the DCR is deployed } }, { @@ -351,7 +345,7 @@ { "nodeName": "UpdateManager", "assignment": { - "name": "Enable-AUM-CheckUpdates", + "name": "Enable-AUM-Updates-LZ", "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.", "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode." }, @@ -366,116 +360,14 @@ ] }, "parameters": { - "locations": [ - "asia", - "asiapacific", - "australia", - "australiacentral", - "australiacentral2", - "australiaeast", - "australiasoutheast", - "brazil", - "brazilsouth", - "brazilsoutheast", - "brazilus", - "canada", - "canadacentral", - "canadaeast", - "centralindia", - "centralus", - "centralusstage", - "eastasia", - "eastasiastage", - "eastus", - "eastusstage", - "eastus2", - "eastus2stage", - "europe", - "france", - "francecentral", - "francesouth", - "germany", - "germanynorth", - "germanywestcentral", - "global", - "india", - "israelcentral", - "italynorth", - "japan", - "japaneast", - "japanwest", - "jioindiacentral", - "jioindiawest", - "korea", - "koreacentral", - "koreasouth", - "northcentralus", - "northcentralusstage", - "northeurope", - "norway", - "norwayeast", - "norwaywest", - "polandcentral", - "qatarcentral", - "singapore", - "southafrica", - "southafricanorth", - "southafricawest", - "southcentralus", - "southcentralusstage", - "southindia", - "southeastasia", - "southeastasiastage", - "sweden", - "swedencentral", - "switzerland", - "switzerlandnorth", - "switzerlandwest", - "uaecentral", - "uaenorth", - "uksouth", - "ukwest", - "uae", - "uk", - "unitedstates", - "unitedstateseuap", - "westcentralus", - "westeurope", - "westindia", - "westus", - "westusstage", - "westus2", - "westus2stage", - "westus3" - ] + "tagValues": {}, + "locations": [], + "tagOperator": "Any", + "assessmentMode": "AutomaticByPlatform" } } ] }, - { - "nodeName": "ManagedIdentity", - "children": [ - { - "nodeName": "UAMI", - "assignment": { - "name": "Deploy-UAMI-VMInsights", - "displayName": "Deploy User Assigned Managed Identity for VM Insights", - "description": "Deploy User Assigned Managed Identity for VM Insights" - }, - "definitionEntry": { - "policyName": "Deploy-UserAssignedManagedIdentity-VMInsights", - "displayName": "Deploy User Assigned Managed Identity for VM Insights", - "nonComplianceMessages": [ - { - "policyDefinitionReferenceId": null, - "message": "User Assigned Identity must be created for VM Insights." - } - ] - }, - "parameters": {} - } - ] - }, { "nodeName": "Monitoring", "children": [ @@ -611,6 +503,29 @@ } } ] + }, + { + "nodeName": "Backup", + "children": [ + { + "nodeName": "ASR", + "assignment": { + "name": "Enforce-ASR-LZ", + "displayName": "Enforce enhanced recovery and backup policies", + "description": "This initiative assignment enables recommended ALZ guardrails for Azure Recovery Services." + }, + "definitionEntry": { + "policySetName": "Enforce-Backup", + "displayName": "Enforce enhanced recovery and backup policies", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Recommended guardrails must be enforced for Azure Recovery Services (Backup and Site Recovery)." + } + ] + } + } + ] } ] -} +} \ No newline at end of file diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Management-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Management-Default.jsonc index 43eacd7c..2b953cc4 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Management-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Management-Default.jsonc @@ -9,9 +9,9 @@ "parameters": { "workspaceRegion": "", // Replace with your primary region "automationRegion": "", // Replace with your primary region - "rgName": "alz-mgmt", // Replace with a unique resource group name - "automationAccountName": "alz-aauto", // Replace with an automation account name - "workspaceName": "alz-law" // Replace with a Log Analytics workspace name + "rgName": "", // Replace with a unique resource group name + "automationAccountName": "", // Replace with an automation account name + "workspaceName": "" // Replace with a Log Analytics workspace name }, "children": [ { diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Platform-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Platform-Default.jsonc index 3c504d58..fbcf8511 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Platform-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Platform-Default.jsonc @@ -9,14 +9,11 @@ // Ensure that this whole file is reviewed for parameters and ensure DCRs, managed identities, and log analytics workspace are deployed // Sources for the DCRs which need to be deployed are in the individual assignment parameter comments "parameters": { - "userAssignedManagedIdentityName": "", // Replace with the name of the user assigned managed identity - "userAssignedIdentityName": "", // Replace with the name of the user assigned managed identity + "userAssignedIdentityResourceId": "", // Replace with the resource Id of the user assigned managed identity "bringYourOwnUserAssignedManagedIdentity": true, "enableProcessesAndDependencies": true, - "userAssignedManagedIdentityResourceGroup": "", //Replace with the name of the resource group where the user assigned managed identity is deployed - "identityResourceGroup": "", // Replace with the name of the resource group where the user assigned managed identity is deployed - "scopeToSupportedImages": false, - "resourceName": "" // Replace with the name of the user assigned managed identity + "restrictBringYourOwnUserAssignedIdentityToSubscription": false, + "scopeToSupportedImages": false }, "children": [ { @@ -47,12 +44,12 @@ { "nodeName": "DefenderSQL", "assignment": { - "name": "Deploy-MDFC-DefenSQL-AMA", + "name": "Deploy-MDFC-SQL-AMA-PLT", "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace." }, "definitionEntry": { - "policySetName": "Deploy-MDFC-DefenderSQL-AMA", + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26", "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", "nonComplianceMessages": [ { @@ -62,11 +59,28 @@ ] }, "parameters": { - "dcrResourceGroup": "", // Resource group for the DCR - "dcrId": "", // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json + "dcrResourceId": "", // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json "userWorkspaceResourceId": "", //Log analytics workspace Id "workspaceRegion": "", // Log analytics workspace region - "dcrName": "" // DCR Name + "enableCollectionOfSqlQueriesForSecurityResearch": "false", + "bringYourOwnDcr": true // Ensure the DCR is deployed + } + }, + { + "nodeName": "UAMI", + "assignment": { + "name": "DenyAction-DeleteUAMIAMA", + "displayName": "Do not allow deletion of the User Assigned Managed Identity used by AMA", + "description": "This policy provides a safeguard against accidental removal of the User Assigned Managed Identity used by AMA by blocking delete calls using deny action effect." + }, + "definitionEntry": { + "policyName": "DenyAction-DeleteResources", + "displayName": "Do not allow deletion of specified resource and resource type" + }, + "parameters": { + "effect": "DenyAction", + "resourceType": "Microsoft.ManagedIdentity/userAssignedIdentities", + "resourceName": "" // Resource name for the user-assigned managed identity } } ] @@ -229,7 +243,7 @@ { "nodeName": "UpdateManager", "assignment": { - "name": "Enable-AUM-CheckUpdates", + "name": "Enable-AUM-Updates-PLT", "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.", "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode." }, @@ -244,87 +258,32 @@ ] }, "parameters": { - "locations": [ - "asia", - "asiapacific", - "australia", - "australiacentral", - "australiacentral2", - "australiaeast", - "australiasoutheast", - "brazil", - "brazilsouth", - "brazilsoutheast", - "brazilus", - "canada", - "canadacentral", - "canadaeast", - "centralindia", - "centralus", - "centralusstage", - "eastasia", - "eastasiastage", - "eastus", - "eastusstage", - "eastus2", - "eastus2stage", - "europe", - "france", - "francecentral", - "francesouth", - "germany", - "germanynorth", - "germanywestcentral", - "global", - "india", - "israelcentral", - "italynorth", - "japan", - "japaneast", - "japanwest", - "jioindiacentral", - "jioindiawest", - "korea", - "koreacentral", - "koreasouth", - "northcentralus", - "northcentralusstage", - "northeurope", - "norway", - "norwayeast", - "norwaywest", - "polandcentral", - "qatarcentral", - "singapore", - "southafrica", - "southafricanorth", - "southafricawest", - "southcentralus", - "southcentralusstage", - "southindia", - "southeastasia", - "southeastasiastage", - "sweden", - "swedencentral", - "switzerland", - "switzerlandnorth", - "switzerlandwest", - "uaecentral", - "uaenorth", - "uksouth", - "ukwest", - "uae", - "uk", - "unitedstates", - "unitedstateseuap", - "westcentralus", - "westeurope", - "westindia", - "westus", - "westusstage", - "westus2", - "westus2stage", - "westus3" + "tagValues": {}, + "locations": [], + "tagOperator": "Any", + "assessmentMode": "AutomaticByPlatform" + } + } + ] + }, + { + "nodeName": "Backup", + "children": [ + { + "nodeName": "ASR", + "assignment": { + "name": "Enforce-ASR-PLT", + "displayName": "Enforce enhanced recovery and backup policies", + "description": "This initiative assignment enables recommended ALZ guardrails for Azure Recovery Services." + }, + "definitionEntry": { + "policySetName": "Enforce-Backup", + "displayName": "Enforce enhanced recovery and backup policies", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Recommended guardrails must be enforced for Azure Recovery Services (Backup and Site Recovery)." + } ] } } diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc index 6b7b15df..d2641af5 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc @@ -10,7 +10,7 @@ "logAnalytics": "", // Replace with your central Log Analytics workspace ID "logAnalytics_1": "", // Replace with your central Log Analytics workspace ID "emailSecurityContact": "", // Security contact email address for Microsoft Defender for Cloud - "ascExportResourceGroupName": "mdfc-export", // Resource group to export Microsoft Defender for Cloud data to + "ascExportResourceGroupName": "asc-export", // Resource group to export Microsoft Defender for Cloud data to "ascExportResourceGroupLocation": "" // Location of the resource group to export Microsoft Defender for Cloud data to }, "children": [ @@ -38,27 +38,27 @@ { "nodeName": "MDFC", "assignment": { - "name": "Deploy-MDFC-Config", + "name": "Deploy-MDFC-Config-H224", "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud and Security Contacts" }, "definitionEntry": { - "policySetName": "Deploy-MDFC-Config", + "policySetName": "Deploy-MDFC-Config_20240319", "displayName": "Microsoft Defender For Cloud" }, "parameters": { - "enableAscForServers": "Disabled", // Adjust parameter values to control Microsoft Defender for Cloud configuration Disabled/Disabled - "enableAscForSql": "Disabled", - "enableAscForAppServices": "Disabled", - "enableAscForStorage": "Disabled", - "enableAscForContainers": "Disabled", - "enableAscForKeyVault": "Disabled", - "enableAscForSqlOnVm": "Disabled", - "enableAscForArm": "Disabled", - "enableAscForOssDb": "Disabled", - "enableAscForCosmosDbs": "Disabled", - "enableAscForServersVulnerabilityAssessments": "Disabled", - "enableAscForCspm": "Disabled" + "enableAscForServers": "DeployIfNotExists", // Adjust parameter values to control Microsoft Defender for Cloud configuration Disabled/Disabled + "enableAscForCosmosDbs": "DeployIfNotExists", + "enableAscForAppServices": "DeployIfNotExists", + "enableAscForStorage": "DeployIfNotExists", + "enableAscForOssDb": "DeployIfNotExists", + "enableAscForKeyVault": "DeployIfNotExists", + "enableAscForArm": "DeployIfNotExists", + "enableAscForSqlOnVm": "DeployIfNotExists", + "enableAscForContainers": "DeployIfNotExists", + "enableAscForServersVulnerabilityAssessments": "DeployIfNotExists", + "enableAscForSql": "DeployIfNotExists", + "enableAscForCspm": "DeployIfNotExists" }, "nonComplianceMessages": [ { @@ -89,6 +89,24 @@ } ] }, + { + "nodeName": "MDAMA", + "assignment": { + "name": "Deploy-MDEndpointsAMA", + "displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud", + "description": "Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3", + "displayName": "Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Microsoft Defender for Endpoint must be deployed." + } + ] + } + }, { "nodeName": "MDFEOSSDB", "assignment": { @@ -166,18 +184,18 @@ { "nodeName": "ResourceDiagnostics", "assignment": { - "name": "Deploy-Resource-Diag", - "displayName": "Deploy-Resource-Diag", - "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace." + "name": "Deploy-Diag-Logs", + "displayName": "Enable allLogs category group resource logging for supported resources to Log Analytics", + "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources." }, "definitionEntry": { - "policySetName": "Deploy-Diagnostics-LogAnalytics", - "displayName": "Resource Diagnostics" + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038", + "displayName": "Enable allLogs category group resource logging for supported resources to Log Analytics" }, "parameters": {}, "nonComplianceMessages": [ { - "message": "Diagnostic settings must be deployed to Azure services." + "message": "Diagnostic settings must be deployed to Azure services to forward logs to Log Analytics." } ] } @@ -241,7 +259,7 @@ }, "definitionEntry": { "policyName": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749", - "displayName": "Deny Classic Resources" + "displayName": "Not allowed resource types" }, "parameters": { "listOfResourceTypesNotAllowed": [ diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-WorkloadGuardRails.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-WorkloadGuardRails.jsonc index 3eea8474..040fe2cd 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-WorkloadGuardRails.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-WorkloadGuardRails.jsonc @@ -433,6 +433,24 @@ "message": "Recommended guardrails must be enforced for Virtual Desktop" } ] + }, + { + "nodeName": "CMK", + "assignment": { + "name": "Enforce-Encrypt-CMK", + "displayName": "Enforce recommended guardrails for Customer Managed Keys", + "description": "This initiative assignment enables additional ALZ guardrails for Customer Managed Keys." + }, + "definitionEntry": { + "policySetName": "Enforce-Encryption-CMK", + "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Recommended guardrails must be enforced for Customer Managed Keys." + } + ] + } } ] } \ No newline at end of file