From 13adec3b3045049f59d928c07cf44ccbda48efdc Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Tue, 3 Sep 2024 12:13:10 +0200 Subject: [PATCH] Updated documentation for Azure Monitor Baseline Alerts Initiatives (#1756) Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> --- docs/wiki/ALZ-Deprecated-Services.md | 3 +- docs/wiki/ALZ-Policies.md | 60 ++++++++++++++++------------ docs/wiki/Whats-new.md | 58 ++++++++++++++++----------- 3 files changed, 71 insertions(+), 50 deletions(-) diff --git a/docs/wiki/ALZ-Deprecated-Services.md b/docs/wiki/ALZ-Deprecated-Services.md index 9bf5810b54..564b945fbd 100644 --- a/docs/wiki/ALZ-Deprecated-Services.md +++ b/docs/wiki/ALZ-Deprecated-Services.md @@ -15,7 +15,7 @@ As policies and services are further developed by Microsoft, one or more Azure L ## Deprecated policies -New Azure Policies are being developed and created by product groups that support their services and are typically of the `built-in` type. These new policies often replace legacy policies which get deprecated and usually provide guidance on which policy to use instead. Azure Landing Zones (ALZ) policies are not exempt from this, and over time some policies will be updated to leverage new `built-in` policies instead of ALZ `custom` policies. Through this process, `custom` ALZ policies will be deprecated when new `built-in` policies are available that provide the same capability, which ultimately reduces maintenance overhead for `custom` policies. +New Azure Policies are being developed and created by product groups that support their services and are typically of the `built-in` type. These new policies often replace legacy policies which get deprecated and usually provide guidance on which policy to use instead. Azure Landing Zones (ALZ) policies are not exempt from this, and over time some policies will be updated to leverage new `built-in` policies instead of ALZ `custom` policies. Through this process, `custom` ALZ policies will be deprecated when new `built-in` policies are available that provide the same capability, which ultimately reduces maintenance overhead for `custom` policies. Policies being deprecated: @@ -42,6 +42,7 @@ Policies being deprecated: | Configure Arc-enabled SQL Servers to auto install Microsoft Defender for SQL and DCR with a user-defined LAW
ID: `Deploy-MDFC-Arc-Sql-DefenderSQL-DCR` | [`63d03cbd-47fd-4ee1-8a1c-9ddf07303de0`](https://www.azadvertizer.net/azpolicyadvertizer/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0.html) | Custom policy replaced by built-in requires less administration overhead | | Configure Arc-enabled SQL Servers with DCR Association to Microsoft Defender for SQL user-defined DCR
ID: `Deploy-MDFC-Arc-SQL-DCR-Association` | [`2227e1f1-23dd-4c3a-85a9-7024a401d8b2`](https://www.azadvertizer.net/azpolicyadvertizer/2227e1f1-23dd-4c3a-85a9-7024a401d8b2.html) | Custom policy replaced by built-in requires less administration overhead | | Deploy User Assigned Managed Identity for VM Insights
ID: `Deploy-UserAssignedManagedIdentity-VMInsights` | Deprecating as it's no longer required | User-Assigned Management Identity is now centralized and deployed by Azure Landing Zones to the Management Subscription. | +| Deploy Azure Monitor Baseline Alerts for Landing Zone
ID: `Alerting-LandingZone` | [`Alerting-KeyManagement`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-KeyManagement)
[`Alerting-LoadBalancing`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-LoadBalancing)
[`Alerting-NetworkChanges`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-NetworkChanges)
[`Alerting-RecoveryServices`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-RecoveryServices)
[`Alerting-Storage`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-Storage)
[`Alerting-VM`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-VM)
[`Alerting-Web`](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Alerting-Web) | To provide more flexibility for future growth we are transitioning from a single Landing Zone policy initiative and instead we are adopting a modular approach by splitting the Landing Zone initiative into distinct components (initiatives) | >IMPORTANT: note that we have deprecated ALL ALZ custom Diagnostic Setting features as part of Azure Landing Zones, which includes the initiatives and all 53 policies. These are being deprecated in favor of using (and assigning) the built-in initiative [Enable allLogs category group resource logging for supported resources to Log Analytics](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html) diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md index e72ad4ba06..852690e655 100644 --- a/docs/wiki/ALZ-Policies.md +++ b/docs/wiki/ALZ-Policies.md @@ -60,11 +60,11 @@ This management group is a parent to all the other management groups created wit Management Group Policy Configuration - + ![image](./media/IntRoot_v0.1.jpg) - + - + | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **13** | @@ -87,7 +87,8 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | **Audit-UnusedResourcesCostOptimization** | **Audit-UnusedResourcesCostOptimization** | `Policy Definition Set`, **Custom** | Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost. | Audit | | **Audit-TrustedLaunch** | **Audit-TrustedLaunch** | `Policy Definition Set`, **Custom** | Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch. | Audit | | **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | `Policy Definition`, **Built-In** | Deny virtual machines not using managed disk. It checks the managedDisk property on virtual machine OS Disk fields. | Deny | -| **Deploy Azure Monitor Baseline Alerts for Service Health** | **Deploy Azure Monitor Baseline Alerts for Service Health** | `Policy Definition Set`, **Custom** | Deploys service health alerts, action group and alert processing rule. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Service Health initiative. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Service Health** | **Deploy Azure Monitor Baseline Alerts for Service Health** | `Policy Definition Set`, **Custom** | Deploys Azure Monitor Baseline Alerts to monitor Service Health Events such as Service issues, Planned maintenance, Health advisories, Security advisories, and Resource health. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Service Health initiative. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts - Notification Assets** | **Deploy Azure Monitor Baseline Alerts - Notification Assets** | `Policy Definition Set`, **Custom** | Deploys Notification Assets for Azure Monitor Baseline Alerts. This includes the setup of an Alert Processing Rule and an Action Group to manage notifications and actions, along with a Notification Suppression Rule to manage alert notifications, as well as a Notification Suppression Rule to control alert notifications. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Service Health initiative. | DeployIfNotExists | | **Resources should be Zone Resilient** | **Resources should be Zone Resilient** | `Policy Definition Set`, **Built-in** | Some resource types can be deployed Zone Redundant (e.g. SQL Databases); some can be deploy Zone Aligned (e.g. Virtual Machines); and some can be deployed either Zone Aligned or Zone Redundant (e.g. Virtual Machine Scale Sets). Being zone aligned does not guarantee resilience, but it is the foundation on which a resilient solution can be built (e.g. three Virtual Machine Scale Sets zone aligned to three different zones in the same region with a load balancer). See https://aka.ms/AZResilience for more info. | Audit | | **Resource Group and Resource locations should match** | **Resource Group and Resource locations should match** | `Policy Definition`, **Built-in** | In order to improve resilience and reliability, you need to be aware of where resources are deployed. To aid this awareness, ensure that the location of the resource group matches the location of the resources it contains. | Audit | @@ -99,11 +100,11 @@ This management group contains all the platform child management groups, like ma Management Group Policy Configuration - + ![image](./media/Platform_v0.1.svg) - + - + | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **10** | @@ -134,11 +135,11 @@ This management group contains a dedicated subscription for connectivity. This s Management Group Policy Configuration - + ![image](./media/Connectivity_v0.1.jpg) - + - + | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **1** | @@ -160,11 +161,11 @@ This management group contains a dedicated subscription for management, monitori Management Group Policy Configuration - + ![image](./media/Management_v0.1.jpg) - + - + | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **1** | @@ -187,11 +188,11 @@ This management group contains a dedicated subscription for identity. This subsc Management Group Policy Configuration - + ![image](./media/Identity_v0.1.jpg) - + - + | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **1** | @@ -220,7 +221,7 @@ This is the parent management group for all the landing zone child management gr ![image](./media/LandingZone_v0.1.jpg) - + | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **13** | @@ -249,7 +250,6 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | **Kubernetes clusters should not allow container privilege escalation** | **Kubernetes clusters should not allow container privilege escalation** | `Policy Definition`, **Built-in** | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Audit | | **Kubernetes clusters should be accessible only over HTTPS** | **Kubernetes clusters should be accessible only over HTTPS** | `Policy Definition`, **Built-in** | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | | **Web Application Firewall (WAF) should be enabled for Application Gateway** | **Web Application Firewall (WAF) should be enabled for Application Gateway** | `Policy Definition`, **Built-in** | Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. | Audit | -| **Deploy Azure Monitor Baseline Alerts for Landing Zone**\* | **Deploy Azure Monitor Baseline Alerts for Landing Zone** | `Policy Definition Set`, **Custom** | Deploys alerting for landing zone related resources. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | | **Enable Azure Monitor for VMs**\* | **Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines (VMs) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | | **Enable Azure Monitor for Virtual Machine Scale Sets**\* | **Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines scale sets (VMSS) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | | **Enable Azure Monitor for Hybrid Virtual Machines**\* | **Enable Azure Monitor for Hybrid VMs with AMA** | `Policy Definition Set`, **Built-in** | This policy initiative installs the Azure Monitoring Agent (AMA) on Arc-enabled servers (Hybrid) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists, Disabled | @@ -258,6 +258,14 @@ The table below provides the specific **Custom** and **Built-in** **policy defin | **Enable ChangeTracking and Inventory for virtual machine scale sets**\* | **[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable ChangeTracking and Inventory for Arc-enabled virtual machines**\* | **[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines** | `Policy Definition Set`, **Built-in** | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists, Disabled | | **Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers**\* | **Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace** | `Policy Definition Set`, **Built-in** | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists, Disabled | +| **Deploy Azure Monitor Baseline Alerts for Hybrid VMs** | **Deploy Azure Monitor Baseline Alerts for Hybrid VMs** | `Policy Definition Set`, **Custom** | Deploys Azure Monitor Baseline Alerts to monitor Azure Arc-enabled Servers. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Key Management** | **Deploy Azure Monitor Baseline Alerts for Key Management** | `Policy Definition Set`, **Custom** | Deploys Azure Monitor Baseline Alerts to monitor Key Management Services such as Azure Key Vault, and Managed HSM. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Load Balancing** | **Deploy Azure Monitor Baseline Alerts for Load Balancing** | `Policy Definition Set`, **Custom** | Deploys Azure Monitor Baseline Alerts to monitor Load Balancing Services such as Load Balancer, Application Gateway, Traffic Manager, and Azure Front Door. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Changes in Network Routing and Security** | **Deploy Azure Monitor Baseline Alerts for Changes in Network Routing and Security** | `Policy Definition Set`, **Custom** | Deploys Azure Monitor Baseline Alerts to monitor alterations in Network Routing and Security, such as modifications to Route Tables and the removal of Network Security Groups. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Recovery Services** | **Deploy Azure Monitor Baseline Alerts for Recovery Services** | `Policy Definition Set`, **Custom** | Deploys Azure Monitor Baseline Alerts to monitor Recovery Services such as Azure Backup, and Azure Site Recovery. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Storage** | **Deploy Azure Monitor Baseline Alerts for Storage** | `Policy Definition Set`, **Custom** | Deploys Azure Monitor Baseline Alerts to monitor Storage Services such as Storage accounts. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Virtual Machines** | **Deploy Azure Monitor Baseline Alerts for Virtual Machines** | `Policy Definition Set`, **Custom** | Deploys Azure Monitor Baseline Alerts to monitor Azure Virtual Machines. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | +| **Deploy Azure Monitor Baseline Alerts for Web** | **Deploy Azure Monitor Baseline Alerts for Web** | `Policy Definition Set`, **Custom** | Deploys Azure Monitor Baseline Alerts to monitor Web Services such as App Services. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives. | DeployIfNotExists | > \* The AMA policies and initiatives are in effect for the portal implementation only. Terraform and Bicep will adopt these policies in the near future. @@ -273,7 +281,7 @@ This management group is for corporate landing zones. This group is for workload ![image](./media/Corp_v0.1.jpg) - + | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **2** | @@ -302,7 +310,7 @@ This management group is for online landing zones. This group is for workloads t ![image](./media/Online_v0.1.jpg) - + | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **0** | @@ -321,7 +329,7 @@ This management group is for landing zones that are being cancelled. Cancelled l ![image](./media/Decom_v0.1.svg) - + | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **1** | @@ -344,7 +352,7 @@ This management group is for subscriptions that will only be used for testing an ![image](./media/Sandbox_v0.1.svg) - + | **Policy Type** | **Count** | | :--- | :---: | | `Policy Definition Sets` | **1** | @@ -398,18 +406,18 @@ This version is incremented according to the following rules (subject to change) - String changes (displayName, description, etc…) - Other metadata changes - **Suffix** - - Append "-preview" to the version if the policy is in a preview state + - Append "-preview" to the version if the policy is in a preview state - Example: 1.3.2-preview - Append "-deprecated" to the version if the policy is in a deprecated state - Example: 1.3.2-deprecated - + ## Preview and deprecated policies -This section aims to explain what it means when a built-in policy has a state of ‘preview’ or ‘deprecated’. +This section aims to explain what it means when a built-in policy has a state of ‘preview’ or ‘deprecated’. Policies can be in preview because a property (alias) referenced in the policy definition is in preview, or the policy is newly introduced and would like additional customer feedback. A policy may get deprecated when the property (alias) becomes deprecated & not supported in the resource type's latest API version, or when there is manual migration needed by customers due to a breaking change in a resource type's latest API version. -When a policy gets deprecated or gets out of preview, there is no impact on existing assignments. Existing assignments continue to work as-is. The policy is still evaluated & enforced like normal and continues to produce compliance results. +When a policy gets deprecated or gets out of preview, there is no impact on existing assignments. Existing assignments continue to work as-is. The policy is still evaluated & enforced like normal and continues to produce compliance results. Here are the changes that occur when a policy gets deprecated: diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index b5a86325d0..c1d238e0d3 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -48,12 +48,24 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### September 2024 +#### Documentation + +- The [ALZ Policies](./ALZ-Policies) and [ALZ Deprecated Services](./ALZ-Deprecated-Services) documentation has been updated to reflect changes in AMBA. To provide more flexibility for future growth AMBA is transitioning from a single Landing Zone policy initiative and instead is adopting a modular approach by splitting the Landing Zone initiative into the following distinct components (initiatives): + - Key Management + - Load Balancing + - Network Changes + - Recovery Services + - Storage + - VM + - Web +- [Guidance](https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/UpdateToNewReleases/Update_from_release_2024-06-05/) for updating and implementing these changes in existing environments is available on the AMBA website. - Updated the Azure Monitoring Baseline Alerts (AMBA) integration section in the portal accelerator to include new features exposed by the AMBA solution. To read more on the changes https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz/Whats-New/ + ### August 2024 > NOTE TO CONTRIBUTORS: Due to security compliance requirements, we've made core changes that mean we no longer automatically build the policies, initiatives and roles templates after changes in the `src` folder are committed. This means that you as a contributor must run the bicep build commands to generate the required outputs as part of your pull request. Depending on the files you've updated these are the commands (assuming you have bicep installed): -> +> > - `bicep build ./src/templates/policies.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/policies.json` > - `bicep build ./src/templates/initiatives.bicep --outfile ./eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json` > - `bicep build ./src/templates/roles.bicep --outfile ./eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json` @@ -138,7 +150,7 @@ This release includes: - Deprecating the ALZ custom diagnostic settings policies (53) and initiative (1) - NOTE: going forward if you have issues with Diagnostic Settings, please open an Azure support ticket - Updated [Audit-PublicIpAddresses-UnusedResourcesCostOptimization](https://www.azadvertizer.net/azpolicyadvertizer/Audit-PublicIpAddresses-UnusedResourcesCostOptimization.html) to check for `static` public IP addresses that are not associated with any resources (instead of `not basic`). -- Fixed the bug with [Configure Azure Machine Learning workspace to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/ee40564d-486e-4f68-a5ca-7a621edae0fb.html) policy where `secondPrivateDnsZoneId` parameter was missing which was leaving AML private endpoints incomplete. +- Fixed the bug with [Configure Azure Machine Learning workspace to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/ee40564d-486e-4f68-a5ca-7a621edae0fb.html) policy where `secondPrivateDnsZoneId` parameter was missing which was leaving AML private endpoints incomplete. - Updated `Audit-PrivateLinkDnsZones` display name to include the fact it can be `audit` or `deny` - Added the [Configure BotService resources to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/6a4e6f44-f2af-4082-9702-033c9e88b9f8.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. - Added the [Configure Azure Managed Grafana workspaces to use private DNS zones](https://www.azadvertizer.net/azpolicyadvertizer/4c8537f8-cd1b-49ec-b704-18e82a42fd58.html) built-in policy to the "Deploy-Private-DNS-Zones" initiative and assignment. @@ -260,7 +272,7 @@ Yes, the Q2 Policy Refresh has been delayed due to a light past quarter and some - 🎉 Added new initiative default assignment at the Intermediate Root Management Group for [Resources should be Zone Resilient](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/130fb88f-0fc9-4678-bfe1-31022d71c7d5.html) in Audit mode. - Added new default assignment at the Intermediate Root Management Group for [Resource Group and Resource locations should match](https://www.azadvertizer.net/azpolicyadvertizer/0a914e76-4921-4c19-b460-a2d36003525a.html), which will help customers better manage and identify regionally deployed resources and ultimately support improved resilience. -- We are deprecating MariaDB custom policies. For more information: [ALZ Policies FAQ](./ALZ-Policies-FAQ) +- We are deprecating MariaDB custom policies. For more information: [ALZ Policies FAQ](./ALZ-Policies-FAQ) - Fixed a typo in the Private DNS Zones initiative for the policy definition IDs for Databrics (corrected to Databricks). While not a breaking change, it is recommended to redeploy the initiative to ensure the correct policy definition IDs are used if you are using Private DNS Zones for Databricks - specifically if you have configured any exclusions or overrides for the Databricks policy definitions, as these rely on the policy definition ID (which has been updated). You will need to recreate the exclusions or overrides for Databricks if you choose not to redeploy the initiative. - Added ['Container Apps environment should disable public network access'](https://www.azadvertizer.net/azpolicyadvertizer/d074ddf8-01a5-4b5e-a2b8-964aed452c0a.html) to ['Deny-PublicPaaSEndpoints'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaaSEndpoints.html) - Added ['Container Apps should only be accessible over HTTPS'](https://www.azadvertizer.net/azpolicyadvertizer/0e80e269-43a4-4ae9-b5bc-178126b8a5cb.html) to this ['Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit'.](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) @@ -427,7 +439,7 @@ Major update in this release: introducing the Policy Testing Framework foundatio #### Other -- When the option to deploy Log Analytics workspace and enable monitoring is enabled (Yes) in the Platform management, security, and governance section, Diagnostic Settings for Management Groups are also deployed. +- When the option to deploy Log Analytics workspace and enable monitoring is enabled (Yes) in the Platform management, security, and governance section, Diagnostic Settings for Management Groups are also deployed. ### May 2023 @@ -540,7 +552,7 @@ Note that a number of initiatives have been updated that will fail to deploy if ##### Update - Removed deprecated policy [[Deprecated]: Latest TLS version should be used in your API App (azadvertizer.net)](https://www.azadvertizer.net/azpolicyadvertizer/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e.html) from initiative [Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html) as recommended policy is already included in the initiative. - - **BREAKING CHANGE** (parameters changed): + - **BREAKING CHANGE** (parameters changed): - Delete assignment [Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit.html). - Delete custom initiative prior to applying updates as parameters have changed, then re-assign. - Delete orphaned indentity on Landing Zone scope. @@ -627,7 +639,7 @@ Note that a number of initiatives have been updated that will fail to deploy if #### Docs - Migrated the following pages to the [Enterprise-Scale Wiki](https://github.com/Azure/Enterprise-Scale/wiki/) - + | Original URL | New URL | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | | [docs/ESLZ-Policies.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/ESLZ-Policies.md) | [wiki/ALZ-Policies](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) | @@ -640,8 +652,8 @@ Note that a number of initiatives have been updated that will fail to deploy if | [docs/EnterpriseScale-Roadmap.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Roadmap.md) | [wiki/ALZ-Roadmap](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Roadmap) | | [docs/EnterpriseScale-Setup-aad-permissions.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-aad-permissions.md) | [wiki/ALZ-Setup-aad-permissions](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-aad-permissions) | | [docs/EnterpriseScale-Setup-azure.md](https://github.com/Azure/Enterprise-Scale/blob/main/docs/EnterpriseScale-Setup-azure.md) | [wiki/ALZ-Setup-azure](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-azure) | - - + + - Updated the guidance for contributing to the [Azure/Enterprise-Scale](https://github.com/Azure/Enterprise-Scale/) repository #### Tooling @@ -679,20 +691,20 @@ Note that a number of initiatives have been updated that will fail to deploy if - "**Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace**" definition added and also added to `Deploy-Diagnostics-LogAnalytics` initiative - "**Deploy Diagnostic Settings for Databricks to Log Analytics workspace**" definition update - + - Version 1.1.0 -> 1.2.0 - Added missing log categories - "**Deploy SQL Database security Alert Policies configuration with email admin accounts**" definition update - + - Version 1.0.0 -> 1.1.1 - Changed email addresses from hardcoding to array parameter - "**Deploy SQL Database Transparent Data Encryption**" definition update - + - Version 1.0.0 -> 1.1.0 - Added system databases master, model, tempdb, msdb, resource to exclusion parameter as default values - Added as Policy Rule 'notIn' which will exclude the above databases from the policy - Updated "**Deploy-Private-DNS-Zones**" Custom initiative for **Azure Public Cloud**, with latest built-in Policies. Policies were added for the following Services: - + - Azure Automation - Azure Cosmos DB (all APIs: SQL, MongoDB, Cassandra, Gremlin, Table) - Azure Data Factory @@ -703,7 +715,7 @@ Note that a number of initiatives have been updated that will fail to deploy if - Azure Media Services - Azure Monitor - Minor fixes related to "**Deploy-Private-DNS-Zones**" Custom Initiative and respective Assignment: - + - Added missing Zones for **"WebPubSub"** and **"azure-devices-provisioning"**, so Initiative Assignment works correctly - Minor correction related to **ASR Private DNS Zone variable**, so Initiative Assignment works correctly - Conversion of **"Azure Batch"** Private DNS Zone (from regional to global), to properly align with latest respective documentation and functionality @@ -712,28 +724,28 @@ Note that a number of initiatives have been updated that will fail to deploy if - Added `Configure Microsoft Defender for Azure Cosmos DB to be enabled` to the `Deploy Microsoft Defender for Cloud configuration` initiative and updated version to `3.1.0` - Fixing issue [issue #1081](https://github.com/Azure/Enterprise-Scale/issues/1081) - Added `AZFWFlowTrace` category for Azure Firewall in associated Diagnostic Policy - Deprecated the following ALZ policies - + - [Deploy-Nsg-FlowLogs](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Nsg-FlowLogs.html) - [Deploy-Nsg-FlowLogs-to-LA](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Nsg-FlowLogs-to-LA.html) - [Deny-PublicIp](https://www.azadvertizer.net/azpolicyadvertizer/Deny-PublicIP.html) - + in favour of Azure built-in policies with the same or enhanced functionality. - + | ALZ Policy ID(s) | Azure Builti-in Policy ID(s) | | --------------------------- | -------------------------------------- | | Deploy-Nsg-FlowLogs-to-LA | e920df7f-9a64-4066-9b58-52684c02a091 | | Deploy-Nsg-FlowLogs | e920df7f-9a64-4066-9b58-52684c02a091 | | Deny-PublicIp | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 | - - + + - "**"Deploy-ASC-SecurityContacts"**" definition update - + - displayName and description update to "Deploy Microsoft Defender for Cloud Security Contacts" - Added new parameter `minimalSeverity` with settings - Default value `High` - Allowed values: `High`, `Medium`, `Low` - "**"Deploy-MDFC-Config"**" definition update - + - Updated policy definitions set Deploy-MDFC-Config, Deploy-MDFC-Config(US Gov), Deploy-MDFC-Config (China) - added new parameter `minimalSeverity`. - added default value for multiple parameters. @@ -786,7 +798,7 @@ Note that a number of initiatives have been updated that will fail to deploy if #### Docs - Updated the Enterprise-scale [Wiki](https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/) to reflect the latest updates on Azure landing zone accelerator. - + - [Deploy Azure landing zone portal accelerator](./Deploying-ALZ) - [Deployment guidance for Small Enterprises](./Deploying-ALZ-BasicSetup) - [How to deploy without hybrid connectivity](./Deploying-ALZ-Foundation) @@ -1036,7 +1048,7 @@ Note that a number of initiatives have been updated that will fail to deploy if - Replaced `Deploy-Default-Udr` policy with `Deploy-Custom-Route-Table` that allows deploying custom route tables with an arbitrary set of UDRs (including a 0/0 default route if needed). See [here](https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/deploy-policy-driven-routing.md) for usage details. - Updated `Deploy-Budget` policy, to v1.1.0, adding new parameter of `budgetName` that defaults to: `budget-set-by-policy` - closing issue [#842](https://github.com/Azure/Enterprise-Scale/issues/842) - + - Including Fairfax - Also Mooncake (Azure China) even though not in use yet - Added `AuditEvent` to `Deploy-Diagnostics-AA` Policy Definition to ensure correct compliance reporting on Automation Account used for diagnostics - closing issue [#864](https://github.com/Azure/Enterprise-Scale/issues/864) @@ -1171,7 +1183,7 @@ Note that a number of initiatives have been updated that will fail to deploy if - Various custom ESLZ Azure Policies have moved to Built-In Azure Policies, see below table for more detail: > You may continue to use the ESLZ custom Azure Policy as it will still function as it does today. However, we recommend you move to assigning the new Built-In version of the Azure Policy. -> +> > **Please note** that moving to the new Built-In Policy Definition will require a new Policy Assignment and removing the previous Policy Assignment, which will mean compliance history for the Policy Assignment will be lost. However, if you have configured your Activity Logs and Security Center to export to a Log Analytics Workspace; Policy Assignment historic data will be stored here as per the retention duration configured. **Policy Definitions Updates**