Merge branch 'policy-refresh-q1fy24' of https://github.com/Azure/Ente…

…rprise-Scale into RBACAssignments
Azure · Sep 18, 2023 · 91254a9 · 91254a9
2 parents 1ff7c8b + bc80050
commit 91254a9
Show file tree

Hide file tree

Showing 6 changed files with 204 additions and 75 deletions.
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -42,6 +42,13 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 #### Policy
 
+- Updated to the new [Configure Microsoft Defender for Storage to be enabled](https://www.azadvertizer.com/azpolicyadvertizer/cfdc5972-75b3-4418-8ae1-7f5c36839390.html) built-in policy to the `Deploy-MDFC-Config` initiative and assignment.
+  - Read more about the new Microsoft Defender for Storage here: [aka.ms//DefenderForStorage](https://aka.ms//DefenderForStorage).
+  - NOTE: there are additional cost considerations associated with this feature - [more info](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction#malware-scanning-powered-by-microsoft-defender-antivirus).
+- Added two new definitions with Deny Action feature:
+  - `DenyAction-ActivityLogSettings.json`
+  - `DenyAction-DiagnosticSettings.json`
+
 > **Important:** For existing ALZ deployments, you will need to redeploy the below assignments with least privilege RBAC roles, and review and remove existing service principals `Owner` role assignments. The below list includes the scope that needs to be reviewed. For new deployments, the below assignments will be deployed with least privilege RBAC roles.
 
 ![Where to find RBAC roles to cleanup](media/WN-RBACCleanup.png)

diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings.json
@@ -0,0 +1,38 @@
+{
+    "name": "DenyAction-ActivityLogs",
+    "type": "Microsoft.Authorization/policyDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "policyType": "Custom",
+        "mode": "Indexed",
+        "displayName": "DenyAction implementation on Activity Logs",
+        "description": "This is a DenyAction implementation policy on Activity Logs.",
+        "metadata": {
+            "deprecated": false,            
+            "version": "1.0.0",
+            "category": "Monitoring",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+                "AzureCloud",
+                "AzureChinaCloud",
+                "AzureUSGovernment"
+            ]
+        },
+        "parameters": {},
+        "policyRule": {
+            "if": {
+                "field": "type",
+                "equals": "Microsoft.Resources/subscriptions/providers/diagnosticSettings"
+            },
+            "then": {
+                "effect": "denyAction",
+                "details": {
+                    "actionNames": [
+                        "delete"
+                    ]
+                }
+            }
+        }
+    }
+}
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings.json
@@ -0,0 +1,38 @@
+{
+    "name": "DenyAction-DiagnosticLogs",
+    "type": "Microsoft.Authorization/policyDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "policyType": "Custom",
+        "mode": "Indexed",
+        "displayName": "DenyAction implementation on Diagnostic Logs.",
+        "description": "DenyAction implementation on Diagnostic Logs.",
+        "metadata": {
+            "deprecated": false,
+            "version": "1.0.0",
+            "category": "Monitoring",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+                "AzureCloud",
+                "AzureChinaCloud",
+                "AzureUSGovernment"
+            ]
+        },
+        "parameters": {},
+        "policyRule": {
+            "if": {
+                "field": "type",
+                "equals": "Microsoft.Insights/diagnosticSettings"
+            },
+            "then": {
+                "effect": "denyAction",
+                "details": {
+                    "actionNames": [
+                        "delete"
+                    ]
+                }
+            }
+        }
+    }
+}
diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json b/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json
@@ -0,0 +1,37 @@
+{
+    "name": "DenyAction-DeleteProtection",
+    "type": "Microsoft.Authorization/policySetDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "policyType": "Custom",
+        "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings",
+        "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.",
+        "metadata": {
+            "version": "1.0.0",
+            "category": "Monitoring",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+                "AzureCloud",
+                "AzureChinaCloud",
+                "AzureUSGovernment"
+            ]
+        },
+        "parameters": {},
+        "policyDefinitions": [
+            {
+                "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings",
+                "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings",
+                "parameters": {},
+                "groupNames": []
+            },
+            {
+                "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings",
+                "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings",
+                "parameters": {},
+                "groupNames": []
+            }
+        ],
+        "policyDefinitionGroups": null
+    }
+}
diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep
@@ -177,6 +177,8 @@ var loadPolicyDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkPrivateDnsZones.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings.json')
   ]
   AzureCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment
@@ -224,6 +226,7 @@ var loadPolicySetDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json')
+    loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json')
   ]
   AzureCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning