Fixes for policy as rule and policy ignore #1731 #181 #1323 (#2720)

Azure · Mar 3, 2024 · 036db3d · 036db3d
1 parent 56ebaf3
commit 036db3d
Show file tree

Hide file tree

Showing 17 changed files with 548 additions and 54 deletions.
diff --git a/.vscode/markdown.code-snippets b/.vscode/markdown.code-snippets
@@ -140,5 +140,15 @@
       "",
       "```"
     ]
+  },
+  "rule-azure-example-policy": {
+    "scope": "markdown",
+    "prefix": "rule-azure-example-policy",
+    "description": "Example for Azure Policy",
+    "body": [
+      "### Configure with Azure Policy",
+      "",
+      "To address this issue at runtime use the following policies:"
+    ]
   }
 }
diff --git a/.vscode/yaml.code-snippets b/.vscode/yaml.code-snippets
@@ -1,5 +1,6 @@
 {
   "Azure rule with type": {
+    "scope": "yaml",
     "prefix": "rule-azure-with-type",
     "description": "Rule definition for Azure",
     "body": [

diff --git a/data/policy-ignore.json b/data/policy-ignore.json
@@ -165,6 +165,42 @@
       "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390"
     ],
     "reason": "Duplicate",
-    "value": "Azure.Defender.Storage.SensitiveData"
+    "value": "Azure.Defender.Storage.DataScan"
+  },
+  {
+    "policyDefinitionIds": [
+      "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb"
+    ],
+    "reason": "Duplicate",
+    "value": "Azure.ContainerApp.Insecure"
+  },
+  {
+    "policyDefinitionIds": [
+      "/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7"
+    ],
+    "reason": "Duplicate",
+    "value": "Azure.ContainerApp.ManagedIdentity"
+  },
+  {
+    "policyDefinitionIds": [
+      "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b"
+    ],
+    "reason": "Duplicate",
+    "value": "Azure.Storage.BlobPublicAccess"
+  },
+  {
+    "policyDefinitionIds": [
+      "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
+      "/providers/Microsoft.Authorization/policyDefinitions/f81e3117-0093-4b17-8a60-82363134f0eb"
+    ],
+    "reason": "Duplicate",
+    "value": "Azure.Storage.SecureTransfer"
+  },
+  {
+    "policyDefinitionIds": [
+      "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0"
+    ],
+    "reason": "Duplicate",
+    "value": "Azure.Storage.MinTLS"
   }
 ]
diff --git a/docs/CHANGELOG-v1.md b/docs/CHANGELOG-v1.md
@@ -48,9 +48,16 @@ What's changed since pre-release v1.34.0-B0047:
       - Renamed `Azure.Storage.DefenderCloud.SensitiveData` to `Azure.Storage.Defender.DataScan`.
     - Promoted `Azure.Storage.Defender.MalwareScan` to GA rule set by @BernieWhite.
       [#2590](https://github.com/Azure/PSRule.Rules.Azure/pull/2590)
+- General improvements:
+  - Added duplicate policies to default ignore list by @BernieWhite.
+    [#1731](https://github.com/Azure/PSRule.Rules.Azure/issues/1731)
 - Engineering:
   - Updated resource providers and policy aliases.
     [#2717](https://github.com/Azure/PSRule.Rules.Azure/pull/2717)
+- Bug fixes:
+  - Fixes for policy as rules by @BernieWhite.
+    [#181](https://github.com/Azure/PSRule.Rules.Azure/issues/181)
+    [#1323](https://github.com/Azure/PSRule.Rules.Azure/issues/1323)
 
 ## v1.34.0-B0047 (pre-release)
 

diff --git a/docs/en/rules/Azure.Cognitive.DisableLocalAuth.md b/docs/en/rules/Azure.Cognitive.DisableLocalAuth.md
@@ -95,10 +95,10 @@ resource account 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
 
 To address this issue at runtime use the following policies:
 
-```text
-/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc
-/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555
-```
+- [Azure AI Services resources should have key access disabled (disable local authentication)](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Ai%20Services/CognitiveServices_DisableLocalAuth_Audit.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc`
+- [Configure Cognitive Services accounts to disable local authentication methods](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisableLocalAuth_Modify.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555`
 
 ## LINKS
 

diff --git a/docs/en/rules/Azure.ContainerApp.Insecure.md b/docs/en/rules/Azure.ContainerApp.Insecure.md
@@ -1,8 +1,8 @@
 ---
-reviewed: 2023-04-29
+reviewed: 2024-03-04
 severity: Important
 pillar: Security
-category: Design
+category: SE:07 Encryption
 resource: Container App
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.Insecure/
 ---
@@ -98,9 +98,16 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
 }
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Container Apps should only be accessible over HTTPS](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Apps/ContainerApps_EnableHTTPS_Audit.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb`
+
 ## LINKS
 
-- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
-- [Ingress in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/ingress-overview#configuration)
+- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit)
+- [Ingress in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/ingress-overview)
 - [Container Apps ARM template API specification](https://learn.microsoft.com/azure/container-apps/azure-resource-manager-api-spec?tabs=arm-template)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps)
diff --git a/docs/en/rules/Azure.ContainerApp.ManagedIdentity.md b/docs/en/rules/Azure.ContainerApp.ManagedIdentity.md
@@ -1,7 +1,7 @@
 ---
 severity: Important
 pillar: Security
-category: Authentication
+category: SE:05 Identity and access management
 resource: Container App
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ContainerApp.ManagedIdentity/
 ---
@@ -16,10 +16,13 @@ Ensure managed identity is used for authentication.
 
 Using managed identities have the following benefits:
 
-- Your app connects to resources with the managed identity. You don't need to manage credentials in your container app.
+- Your app connects to resources with the managed identity.
+  You don't need to manage credentials in your container app.
 - You can use role-based access control to grant specific permissions to a managed identity.
-- System-assigned identities are automatically created and managed. They're deleted when your container app is deleted.
-- You can add and delete user-assigned identities and assign them to multiple resources. They're independent of your container app's life cycle.
+- System-assigned identities are automatically created and managed.
+  They're deleted when your container app is deleted.
+- You can add and delete user-assigned identities and assign them to multiple resources.
+  They're independent of your container app's life cycle.
 - You can use managed identity to authenticate with a private Azure Container Registry without a username and password to pull containers for your Container App.
 - You can use managed identity to create connections for Dapr-enabled applications via Dapr components.
 
@@ -102,13 +105,20 @@ resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
 }
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Managed Identity should be enabled for Container Apps](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Apps/ContainerApps_ManagedIdentity_Audit.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7`
+
 ## NOTES
 
 Using managed identities in scale rules isn't supported.
 Init containers can't access managed identities.
 
 ## LINKS
 
-- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)
 - [Managed identities in Azure Container Apps](https://learn.microsoft.com/azure/container-apps/managed-identity)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.app/containerapps#managedserviceidentity)
diff --git a/docs/en/rules/Azure.Storage.BlobAccessType.md b/docs/en/rules/Azure.Storage.BlobAccessType.md
@@ -1,8 +1,8 @@
 ---
-reviewed: 2022-01-20
+reviewed: 2024-03-04
 severity: Important
 pillar: Security
-category: Authentication
+category: SE:05 Identity and access management
 resource: Storage Account
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.BlobAccessType/
 ---
@@ -40,16 +40,16 @@ For example:
 
 ```json
 {
-    "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
-    "apiVersion": "2021-06-01",
-    "name": "[format('{0}/{1}/{2}', parameters('name'), 'default', variables('containerName'))]",
-    "properties": {
-        "publicAccess": "None"
-    },
-    "dependsOn": [
-        "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]",
-        "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]"
-    ]
+  "type": "Microsoft.Storage/storageAccounts/blobServices/containers",
+  "apiVersion": "2021-06-01",
+  "name": "[format('{0}/{1}/{2}', parameters('name'), 'default', variables('containerName'))]",
+  "properties": {
+    "publicAccess": "None"
+  },
+  "dependsOn": [
+    "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]",
+    "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]"
+  ]
 }
 ```
 
@@ -73,8 +73,10 @@ resource container 'Microsoft.Storage/storageAccounts/blobServices/containers@20
 
 ## LINKS
 
-- [Authentication with Azure AD](https://learn.microsoft.com/azure/architecture/framework/security/design-identity-authentication)
-- [About anonymous public read access](https://docs.microsoft.com/azure/storage/blobs/anonymous-read-access-configure#about-anonymous-public-read-access)
-- [Use Azure Policy to enforce authorized access](https://docs.microsoft.com/azure/storage/blobs/anonymous-read-access-prevent#use-azure-policy-to-enforce-authorized-access)
-- [How a shared access signature works](https://docs.microsoft.com/azure/storage/common/storage-sas-overview#how-a-shared-access-signature-works)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)
+- [Use Microsoft Entra ID for storage authentication](https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#use-microsoft-entra-id-for-storage-authentication)
+- [Configure anonymous read access for containers and blobs](https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure)
+- [Remediate anonymous read access to blob data](https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-prevent)
+- [How a shared access signature works](https://learn.microsoft.com/azure/storage/common/storage-sas-overview#how-a-shared-access-signature-works)
+- [Authorize access to blobs using Microsoft Entra ID](https://learn.microsoft.com/azure/storage/blobs/authorize-access-azure-active-directory)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.storage/storageaccounts)
diff --git a/docs/en/rules/Azure.Storage.BlobPublicAccess.md b/docs/en/rules/Azure.Storage.BlobPublicAccess.md
@@ -1,7 +1,7 @@
 ---
 severity: Important
 pillar: Security
-category: Authentication
+category: SE:05 Identity and access management
 resource: Storage Account
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.BlobPublicAccess/
 ---
@@ -89,11 +89,18 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
 }
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Configure your Storage account public access to be disallowed](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountDisablePublicBlobAccess_Modify.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b`
+
 ## LINKS
 
-- [Use Azure AD for storage authentication](https://docs.microsoft.com/azure/security/fundamentals/identity-management-best-practices#use-azure-ad-for-storage-authentication)
-- [Allow or disallow public read access for a storage account](https://docs.microsoft.com/azure/storage/blobs/anonymous-read-access-configure#allow-or-disallow-public-read-access-for-a-storage-account)
-- [Remediate anonymous public access](https://docs.microsoft.com/azure/storage/blobs/anonymous-read-access-prevent#remediate-anonymous-public-access)
-- [Use Azure Policy to enforce authorized access](https://docs.microsoft.com/azure/storage/blobs/anonymous-read-access-prevent#use-azure-policy-to-enforce-authorized-access)
-- [Authorize access to blobs using Azure Active Directory](https://docs.microsoft.com/azure/storage/blobs/authorize-access-azure-active-directory)
+- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)
+- [Use Microsoft Entra ID for storage authentication](https://learn.microsoft.com/azure/security/fundamentals/identity-management-best-practices#use-microsoft-entra-id-for-storage-authentication)
+- [Configure anonymous read access for containers and blobs](https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-configure)
+- [Remediate anonymous read access to blob data](https://learn.microsoft.com/azure/storage/blobs/anonymous-read-access-prevent)
+- [Authorize access to blobs using Microsoft Entra ID](https://learn.microsoft.com/azure/storage/blobs/authorize-access-azure-active-directory)
 - [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.storage/storageaccounts)
diff --git a/docs/en/rules/Azure.Storage.MinTLS.md b/docs/en/rules/Azure.Storage.MinTLS.md
@@ -1,7 +1,8 @@
 ---
+reviewed: 2024-03-04
 severity: Critical
 pillar: Security
-category: Encryption
+category: SE:07 Encryption
 resource: Storage Account
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.MinTLS/
 ---
@@ -87,9 +88,16 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
 }
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Storage accounts should have the specified minimum TLS version](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountMinimumTLSVersion_Audit.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0`
+
 ## LINKS
 
-- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
+- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit)
 - [TLS encryption in Azure](https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#tls-encryption-in-azure)
 - [Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account](https://learn.microsoft.com/azure/storage/common/transport-layer-security-configure-minimum-version)
 - [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline#dp-3-encrypt-sensitive-data-in-transit)

diff --git a/docs/en/rules/Azure.Storage.SecureTransfer.md b/docs/en/rules/Azure.Storage.SecureTransfer.md
@@ -1,8 +1,8 @@
 ---
-reviewed: 2023-09-02
+reviewed: 2024-03-04
 severity: Important
 pillar: Security
-category: Encryption
+category: SE:07 Encryption
 resource: Storage Account
 online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Storage.SecureTransfer/
 ms-content-id: 539cb7b9-5510-4aa3-b422-41a049a10a88
@@ -101,9 +101,18 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
 }
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Secure transfer to storage accounts should be enabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9`
+- [Configure secure transfer of data on a storage account](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountSecureTransfer_Modify.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/f81e3117-0093-4b17-8a60-82363134f0eb`
+
 ## LINKS
 
-- [Data encryption in Azure](https://learn.microsoft.com/azure/architecture/framework/security/design-storage-encryption#data-in-transit)
+- [SE:07 Encryption](https://learn.microsoft.com/azure/well-architected/security/encryption#data-in-transit)
 - [Require secure transfer in Azure Storage](https://learn.microsoft.com/azure/storage/common/storage-require-secure-transfer)
 - [DP-3: Encrypt sensitive data in transit](https://learn.microsoft.com/security/benchmark/azure/baselines/storage-security-baseline#dp-3-encrypt-sensitive-data-in-transit)
 - [Sample policy for ensuring https traffic](https://learn.microsoft.com/azure/governance/policy/samples/built-in-policies#storage)