diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json index 4891d51b1..b6261825c 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_landing_zones.tmpl.json @@ -8,7 +8,6 @@ "Deny-Privileged-AKS", "Deny-Storage-http", "Deny-Subnet-Without-Nsg", - "Deploy-AKS-Policy", "Deploy-AzSqlDb-Auditing", "Deploy-MDFC-DefSQL-AMA", "Deploy-SQL-TDE", @@ -25,6 +24,7 @@ "Enforce-AKS-HTTPS", "Enforce-ASR", "Enforce-GR-KeyVault", + "Enforce-Subnet-Private", "Enforce-TLS-SSL-H224" ], "policy_definitions": [], diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json index 8d6f4e472..44df8988a 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_platform.tmpl.json @@ -11,7 +11,8 @@ "Deploy-VMSS-Monitoring", "Enable-AUM-CheckUpdates", "Enforce-ASR", - "Enforce-GR-KeyVault" + "Enforce-GR-KeyVault", + "Enforce-Subnet-Private" ], "policy_definitions": [], "policy_set_definitions": [], diff --git a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json index 888927d5a..e676b1a2c 100644 --- a/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json +++ b/modules/archetypes/lib/archetype_definitions/archetype_definition_es_root.tmpl.json @@ -9,7 +9,7 @@ "Deny-UnmanagedDisk", "Deploy-ASC-Monitoring", "Deploy-AzActivity-Log", - "Deploy-Diag-Logs", + "Deploy-Diag-LogsCat", "Deploy-MDEndpoints", "Deploy-MDEndpointsAMA", "Deploy-MDFC-Config-H224", @@ -200,6 +200,7 @@ "Enforce-Guardrails-APIM", "Enforce-Guardrails-AppServices", "Enforce-Guardrails-Automation", + "Enforce-Guardrails-BotService", "Enforce-Guardrails-CognitiveServices", "Enforce-Guardrails-Compute", "Enforce-Guardrails-ContainerApps", diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json new file mode 100644 index 000000000..b09d4d3fc --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_deploy_diag_logscat.tmpl.json @@ -0,0 +1,28 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Deploy-Diag-LogsCat", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources.", + "displayName": "Enable category group resource logging for supported resources to Log Analytics", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Diagnostic settings {enforcementMode} be deployed to Azure services to forward logs to Log Analytics." + } + ], + "parameters": { + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/${root_scope_id}-mgmt/providers/Microsoft.OperationalInsights/workspaces/${root_scope_id}-la" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + } +} diff --git a/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json new file mode 100644 index 000000000..f2a0da607 --- /dev/null +++ b/modules/archetypes/lib/policy_assignments/policy_assignment_es_enforce_subnet_private.tmpl.json @@ -0,0 +1,28 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "Enforce-Subnet-Private", + "dependsOn": [], + "properties": { + "description": "Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement", + "displayName": "Subnets should be private", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837", + "enforcementMode": "Default", + "nonComplianceMessages": [ + { + "message": "Subnets {enforcementMode} be private." + } + ], + "parameters": { + "effect": { + "value": "Audit" + } + }, + "scope": "${current_scope_resource_id}", + "notScopes": [] + }, + "location": "${default_location}", + "identity": { + "type": "None" + } +} diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json index 628ae5b66..547cca8cd 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_append_appservice_latesttls.json @@ -9,7 +9,7 @@ "displayName": "AppService append sites with minimum TLS version to enforce.", "description": "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "App Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -35,6 +35,7 @@ "type": "String", "defaultValue": "1.2", "allowedValues": [ + "1.3", "1.2", "1.0", "1.1" @@ -54,7 +55,7 @@ }, { "field": "Microsoft.Web/sites/config/minTlsVersion", - "notEquals": "[parameters('minTlsVersion')]" + "less": "[parameters('minTlsVersion')]" } ] }, diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json index 817426388..aac286f37 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_append_redis_sslenforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS.", "description": "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cache", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -56,7 +56,7 @@ "anyOf": [ { "field": "Microsoft.Cache/Redis/minimumTlsVersion", - "notequals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json index a1e8b33e7..6f7e7a29e 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_eh_mintls.json @@ -9,7 +9,7 @@ "displayName": "Event Hub namespaces should use a valid TLS version", "description": "Event Hub namespaces should use a valid TLS version.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Hub", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -52,7 +52,7 @@ "anyOf": [ { "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", - "notEquals": "[parameters('minTlsVersion')]" + "less": "[parameters('minTlsVersion')]" }, { "field": "Microsoft.EventHub/namespaces/minimumTlsVersion", diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json index a8da04389..1c98aa2b4 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_mysql_http.json @@ -9,7 +9,7 @@ "displayName": "MySQL database servers enforce SSL connections.", "description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -66,7 +66,7 @@ }, { "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json index 73d491ad7..70055987b 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_redis_http.json @@ -9,7 +9,7 @@ "displayName": "Azure Cache for Redis only secure connections should be enabled", "description": "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cache", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -41,7 +41,7 @@ "1.0" ], "metadata": { - "displayName": "Select minumum TLS version for Azure Cache for Redis.", + "displayName": "Select minimum TLS version for Azure Cache for Redis.", "description": "Select minimum TLS version for Azure Cache for Redis." } } @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Cache/Redis/minimumTlsVersion", - "notequals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json index f859443e7..f9890d9f4 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sql_mintls.json @@ -9,7 +9,7 @@ "displayName": "Azure SQL Database should have the minimal TLS version set to the highest version", "description": "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Sql/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json index 951d1ac18..d1d555201 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_sqlmi_mintls.json @@ -7,9 +7,9 @@ "policyType": "Custom", "mode": "Indexed", "displayName": "SQL Managed Instance should have the minimal TLS version set to the highest version", - "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities.", + "description": "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json index d9d6dd82c..47cf20289 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deny_vnet_peer_cross_sub.json @@ -9,7 +9,7 @@ "displayName": "Deny vNet peering cross subscription.", "description": "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope.", "metadata": { - "version": "1.0.1", + "version": "1.1.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -31,6 +31,14 @@ "Disabled" ], "defaultValue": "Deny" + }, + "allowedVnets": { + "type": "Array", + "metadata": { + "displayName": "Allowed vNets to peer with", + "description": "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}" + }, + "defaultValue": [] } }, "policyRule": { @@ -41,8 +49,16 @@ "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" }, { - "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", - "notcontains": "[subscription().id]" + "allOf": [ + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notIn": "[parameters('allowedVnets')]" + }, + { + "field": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id", + "notLike": "[concat(subscription().id, '/*')]" + } + ] } ] }, diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json index 3dca74215..180fb74d1 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_mysql_sslenforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.DBforMySQL/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json index 3cf45b5ec..e5a74136f 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_postgresql_sslenforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Database for PostgreSQL server deploy a specific min TLS version requirement and enforce SSL ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -61,7 +61,7 @@ }, { "field": "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion", - "notEquals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json index caf64db9f..580c205cc 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_private_dns_generic.json @@ -9,7 +9,7 @@ "displayName": "Deploy-Private-DNS-Generic", "description": "Configure private DNS zone group to override the DNS resolution for PaaS services private endpoint. See https://aka.ms/pepdnszones for information on values to provide to parameters in this policy.", "metadata": { - "version": "1.0.0", + "version": "2.0.0", "category": "Networking", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -34,8 +34,8 @@ "privateDnsZoneId": { "type": "String", "metadata": { - "displayName": "Private DNS Zone ID for Paas services", - "description": "The private DNS zone name required for specific Paas Services to resolve a private DNS Zone.", + "displayName": "Private DNS Zone ID for PaaS services", + "description": "The private DNS zone name required for specific PaaS Services to resolve a private DNS Zone.", "strongType": "Microsoft.Network/privateDnsZones", "assignPermissions": true } @@ -61,11 +61,24 @@ "description": "The delay in evaluation of the policy. Review delay options at https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effect-deploy-if-not-exists" }, "defaultValue": "PT10M" + }, + "location": { + "type": "String", + "metadata": { + "displayName": "Location (Specify the Private Endpoint location)", + "description": "Specify the Private Endpoint location", + "strongType": "location" + }, + "defaultValue": "northeurope" } }, "policyRule": { "if": { "allOf": [ + { + "field": "location", + "equals": "[parameters('location')]" + }, { "field": "type", "equals": "Microsoft.Network/privateEndpoints" diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json index 48909e0ee..51323d520 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sql_mintls.json @@ -9,7 +9,7 @@ "displayName": "SQL servers deploys a specific min TLS version requirement.", "description": "Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -54,7 +54,7 @@ }, { "field": "Microsoft.Sql/servers/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] }, diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json index a2e4c61ce..fa69bf9b3 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_sqlmi_mintls.json @@ -9,7 +9,7 @@ "displayName": "SQL managed instances deploy a specific min TLS version requirement.", "description": "Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.", "metadata": { - "version": "1.2.0", + "version": "1.3.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -54,7 +54,7 @@ }, { "field": "Microsoft.Sql/managedInstances/minimalTlsVersion", - "notequals": "[parameters('minimalTlsVersion')]" + "less": "[parameters('minimalTlsVersion')]" } ] }, diff --git a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json index 6e0531aa6..5b624d427 100644 --- a/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json +++ b/modules/archetypes/lib/policy_definitions/policy_definition_es_deploy_storage_sslenforcement.json @@ -9,7 +9,7 @@ "displayName": "Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS ", "description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Storage. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your Azure Storage.", "metadata": { - "version": "1.2.0", + "version": "1.3.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -60,7 +60,7 @@ }, { "field": "Microsoft.Storage/storageAccounts/minimumTlsVersion", - "notEquals": "[parameters('minimumTlsVersion')]" + "less": "[parameters('minimumTlsVersion')]" } ] } diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json index d256cf21d..78698ddef 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config_20240319.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "1.0.0", + "version": "2.1.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-MDFC-Config", @@ -59,6 +59,18 @@ "description": "The location where the resource group and the export to Log Analytics workspace configuration are created." } }, + "createResourceGroup": { + "type": "Boolean", + "metadata": { + "displayName": "Create resource group", + "description": "If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group." + }, + "defaultValue": true, + "allowedValues": [ + true, + false + ] + }, "enableAscForCosmosDbs": { "type": "String", "allowedValues": [ @@ -355,7 +367,7 @@ }, { "policyDefinitionReferenceId": "defenderForCspm", - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21", "parameters": { "effect": { "value": "[parameters('enableAscForCspm')]" @@ -386,6 +398,9 @@ "resourceGroupLocation": { "value": "[parameters('ascExportResourceGroupLocation')]" }, + "createResourceGroup": { + "value": "[parameters('createResourceGroup')]" + }, "workspaceResourceId": { "value": "[parameters('logAnalytics')]" } diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json index a51b7de08..7b07b46bd 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_encryption_cmk.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "3.0.0", + "version": "3.1.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -329,6 +329,18 @@ "Deny", "Disabled" ] + }, + "botServiceCmk": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] } }, "policyDefinitions": [ @@ -621,6 +633,16 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Cmk", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f", + "parameters": { + "effect": { + "value": "[parameters('botServiceCmk')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json new file mode 100644 index 000000000..e27021b39 --- /dev/null +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_botservice.tmpl.json @@ -0,0 +1,107 @@ +{ + "name": "Enforce-Guardrails-BotService", + "type": "Microsoft.Authorization/policySetDefinitions", + "apiVersion": "2021-06-01", + "scope": null, + "properties": { + "policyType": "Custom", + "displayName": "Enforce recommended guardrails for Bot Service", + "description": "This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.", + "metadata": { + "version": "1.0.0", + "category": "Bot Service", + "source": "https://github.com/Azure/Enterprise-Scale/", + "alzCloudEnvironments": [ + "AzureCloud", + "AzureChinaCloud", + "AzureUSGovernment" + ] + }, + "parameters": { + "botServiceValidUri": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] + }, + "botServiceIsolatedMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "audit", + "Deny", + "deny", + "Disabled", + "disabled" + ] + }, + "botServiceLocalAuth": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "botServicePrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "Deny-BotService-Valid-Uri", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a", + "parameters": { + "effect": { + "value": "[parameters('botServiceValidUri')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Isolated-Mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e", + "parameters": { + "effect": { + "value": "[parameters('botServiceIsolatedMode')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-BotService-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a", + "parameters": { + "effect": { + "value": "[parameters('botServiceLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-BotService-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e", + "parameters": { + "effect": { + "value": "[parameters('botServicePrivateLink')]" + } + }, + "groupNames": [] + } + ], + "policyDefinitionGroups": null + } +} \ No newline at end of file diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json index a10aab0ab..a846b06a0 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_cognitiveservices.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cognitive Services", "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -44,6 +44,14 @@ "Disabled" ] }, + "cognitiveServicesLocalAuth": { + "type": "string", + "defaultValue": "Modify", + "allowedValues": [ + "Modify", + "Disabled" + ] + }, "modifyCognitiveSearchPublicEndpoint": { "type": "string", "defaultValue": "Modify", @@ -59,6 +67,32 @@ "Modify", "Disabled" ] + }, + "cognitiveServicesManagedIdentity": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesCustomerStorage": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "cognitiveServicesResourceLogs": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] } }, "policyDefinitions": [ @@ -111,6 +145,46 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesManagedIdentity')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-Cognitive-Services-Customer-Storage", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesCustomerStorage')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesLocalAuth')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-Cognitive-Services-Resource-Logs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", + "parameters": { + "effect": { + "value": "[parameters('cognitiveServicesResourceLogs')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json index a4a15c22a..1c683c4a2 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_machinelearning.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Machine Learning", "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -59,6 +59,80 @@ "Modify", "Disabled" ] + }, + "mlIdleShutdown": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlVirtualNetwork": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlLegacyMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "mlPrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "mlResourceLogs": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] + }, + "mlAllowedRegistryDeploy": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Deny", + "Disabled" + ] + }, + "mlAllowedModule": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] + }, + "mlAllowedPython": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] + }, + "mlAllowedRegistries": { + "type": "string", + "defaultValue": "enforceSetting", + "allowedValues": [ + "enforceSetting", + "disabled" + ] } }, "policyDefinitions": [ @@ -111,6 +185,96 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Idle-Shutdown", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449", + "parameters": { + "effect": { + "value": "[parameters('mlIdleShutdown')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-ML-Virtual-Network", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1", + "parameters": { + "effect": { + "value": "[parameters('mlVirtualNetwork')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Legacy-Mode", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7", + "parameters": { + "effect": { + "value": "[parameters('mlLegacyMode')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-ML-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b", + "parameters": { + "effect": { + "value": "[parameters('mlPrivateLink')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-ML-Resource-Logs", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6", + "parameters": { + "effect": { + "value": "[parameters('mlResourceLogs')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Registry-Deploy", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90", + "parameters": { + "effect": { + "value": "[parameters('mlAllowedRegistryDeploy')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Module", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003", + "parameters": { + "effect": { + "value": "[parameters('mlAllowedModule')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Python", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752", + "parameters": { + "effect": { + "value": "[parameters('mlAllowedPython')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-ML-Allowed-Registries", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003", + "parameters": { + "effect": { + "value": "[parameters('mlAllowedRegistries')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null diff --git a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json index f58a16c10..2b6dbbbc5 100644 --- a/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json +++ b/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_enforce_guardrails_openai.tmpl.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -70,6 +70,47 @@ "Deny", "Disabled" ] + }, + "azureAiNetworkAccess": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ] + }, + "azureAiPrivateLink": { + "type": "string", + "defaultValue": "Audit", + "allowedValues": [ + "Audit", + "Disabled" + ] + }, + "azureAiDisableLocalKey": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "azureAiDisableLocalKey2": { + "type": "string", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ] + }, + "azureAiDiagSettings": { + "type": "string", + "defaultValue": "AuditIfNotExists", + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ] } }, "policyDefinitions": [ @@ -132,6 +173,56 @@ } }, "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Deny-AzureAI-Network-Access", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "parameters": { + "effect": { + "value": "[parameters('azureAiNetworkAccess')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Audit-AzureAI-Private-Link", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782", + "parameters": { + "effect": { + "value": "[parameters('azureAiPrivateLink')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544", + "parameters": { + "effect": { + "value": "[parameters('azureAiDisableLocalKey')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key2", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30", + "parameters": { + "effect": { + "value": "[parameters('azureAiDisableLocalKey2')]" + } + }, + "groupNames": [] + }, + { + "policyDefinitionReferenceId": "Aine-AzureAI-Diag-Settings", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb", + "parameters": { + "effect": { + "value": "[parameters('azureAiDiagSettings')]" + } + }, + "groupNames": [] } ], "policyDefinitionGroups": null