Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added new custom policy definitions and assignments #192

Closed
wants to merge 3 commits into from
Closed

Added new custom policy definitions and assignments #192

wants to merge 3 commits into from

Conversation

rupanjanam
Copy link

Overview/Summary

Replace this with a brief description of what this Pull Request fixes, changes, etc.

This PR fixes/adds/changes/removes

  1. Policy to send AKS Diagnostics to an Event Hub
  2. Policy to enable Azure Defender Standard for OSS Relational Database
  3. Audit App Gateways that doesn't have a WAF policy associated
  4. Deny creation of AKS Cluster without Azure AD RBAC

Breaking Changes

None

Testing Evidence

Please provide any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).

As part of this Pull Request I have

  • [Yes] Checked for duplicate Pull Requests
  • [No] Associated it with relevant issues, for tracking and closure.
  • [Yes] Ensured my code/branch is up-to-date with the latest changes in the main branch
  • [Yes- Tested and deployed in Customer environment] Performed testing and provided evidence.
  • [No] Updated relevant and associated documentation.
  • [No] Updated the "What's New?" wiki page (located in the Enterprise-Scale repo in the directory: /docs/wiki/whats-new.md)

@ghost
Copy link

ghost commented Oct 18, 2021
edited by ghost
Loading

CLA assistant check
All CLA requirements met.

@krowlandson krowlandson self-assigned this Nov 5, 2021
@krowlandson krowlandson self-requested a review November 5, 2021 15:25
@krowlandson krowlandson added do not merge enhancement New feature or request labels Nov 5, 2021
@krowlandson
Copy link
Contributor

@rjnmylife... thank you for submitting this PR and your patience waiting for us to respond.

I'm adding this to our backlog to review, but in the meantime would you mind providing some rationale behind these additions to the module (rather than adding via the custom library path option) and what the intended outcome is in terms of Enterprise-scale?

As a module, we are (believe it or not) trying not to become a source of policies. Instead, we are working to get all of our policies included as built-in on Azure. As this takes time, we offer a limited selection of definitions via Enterprise-scale to help customers implement controls aligned with our recommendations.

Assuming your intent is to have these policies considered for inclusion, we would first need to have them added to the Azure/Enterprise-Scale repository as this is where we source all of our custom definitions from.

Happy to help guide you through this process once we better understand the ask.

Just a couple of comments relating to the additions:

Definition Comments
Policy to send AKS Diagnostics to an Event Hub We currently only send logs to a Log Analytics workspace. We also have a recommendation stating Don't send raw log entries back to on-premises monitoring systems. Instead, adopt a principle that data born in Azure stays in Azure. If on-premises SIEM integration is required, then send critical alerts instead of logs. under Plan platform management and monitoring. Is this something you have considered?
Policy to enable Azure Defender Standard for OSS Relational Database This is being added soon through an update to the built-in policies which will enable this feature, so a custom policy will no longer be required.
Audit App Gateways that doesn't have a WAF policy associated Does the Deny-AppGW-Without-WAF Policy Definition not provide what you are looking for when setting the effect parameter to Audit?
Deny creation of AKS Cluster without Azure AD RBAC This one needs further consideration but seems like a fair ask.

cc: @krnese for further input.

@rupanjanam
Copy link
Author

Hi Kevin,

The policies that were added was because these are requested by customers many times:

  1. For sending the AKS logs to an Event Hub, the customers doesn't plan to send logs to on-premises and had plans to analyze the logs captured within Event Hub. Log analytics would have been a more expensive option for the customers.
  2. Noted on the Built-In policy for Defender for OSS DB
  3. The reason we built this policy is because, when we use CAF to associate a WAF policy to an App Gateway, the BuiltIn policy doesn't audit this App Gateway as a compliant resource. To mitigate this we built this custom policy. This can be a helpful addition to ES policy modules is what we felt.
  4. This AKS RBAC policy is consistently requested by customers.

@krowlandson
Copy link
Contributor

Thank you for the additional details @rjnmylife

  1. I think this is one we could look to add, but will need to be done within Azure/enterprise-scale
  2. This is being delivered on the next release. You can see I've included this change in PR Update Library Templates (automated) #221.
  3. I'll review this to see where the problem is, but is this something we can resolve on the built-in policy rather than add a duplicate?
  4. We can also add this request to the issues in Azure/enterprise-scale for further consideration

@matt-FFFFFF
Copy link
Member

closing due to age

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krowlandson krowlandson Awaiting requested review from krowlandson

Assignees

@krowlandson krowlandson

Labels
do not merge enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rupanjanam @krowlandson @matt-FFFFFF