azure / azure-policy Goto Github PK

Hi, Right now there's a policy definition to restrict VMs without using managed disks as the OS disk.
I'd like to extend this capability and also have the ability to restrict VMs use a vhd in a storage account as a data disk. can an alias for data disk be created to cater for this?

Thanks
Tao

Scenario

Deny Dynamic IP Address allocation on subnet.

Definition

{
	"properties": {
		"displayName": "Enforce Static IP",
		"description": "Enforce Static IP",
		"parameters": {
			
			"effect": {
                "type": "String",
                "allowedValues": [
                    "auditIfNotExists",
                    "deny"
                ],
                "metadata": {
                    "displayName": "Policy Effect"
                }
            },
			
			"setting": {
                "type": "String",
                "allowedValues": [
                    "Dynamic",
                    "Static"
                ],
                "metadata": {
                    "displayName": "Threat Detection Setting"
                }
            }
		
		},
		"policyRule": {
			"if": {
				"allOf": [
					{
						"field": "type",
						"equals": "Microsoft.Network/networkInterfaces"
					},
					{
						"field": "Microsoft.Network/networkInterfaces/ipConfigurations[*].privateIPAllocationMethod",
						"notEquals": "[parameters('setting')]"
					}
				]
			},
			"then": {
				"effect": "[parameters('effect')]",
				"details": {

                    "type": "Microsoft.Network/networkInterfaces",

                    "name": "default",

                    "existenceCondition": {

                        "allOf": [

                            {

                                "field": "Microsoft.Network/networkInterfaces/ipConfigurations[*].privateIPAllocationMethod",

                                "notEquals": "[parameters('effect')]"

                            }

                        ]

                    }

                }
			}
			
		}
	}
}
'''

• Scenario
  Permit to check that webapp are correctly authentification settings enabled

• Definition

{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites/config"
},
{
"field": "Microsoft.Web/sites/config/siteAuthEnabled",
"equals": "true"
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {},
"metadata": {
"category": "x_CustomPolicy"
}
}

Deploy if not exist doesnt work with the given example for network watcher

New-AzureRmPolicyDefinition : InvalidPolicyRuleEffect : The policy definition 'deploy-NW-in-vnet-regions' rule is invalid. The policy 'effect' property value cannot be 'DeployIfNotExists'.
At line:1 char:15

• ... efinition = New-AzureRmPolicyDefinition -Name "deploy-NW-in-vnet-regi ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : CloseError: (:) [New-AzureRmPolicyDefinition], ErrorResponseMessageException
  • FullyQualifiedErrorId : InvalidPolicyRuleEffect,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzurePolicyDefinitionCmdlet

Any idea what to do ?

I created a built-in policy Allowed location and assigned to my target resource. The policy is effective. However, when I checked definition template I didn't see location indicated.

{
  "if": {
    "allOf": [
      {
        "field": "location",
        "notIn": "[parameters('listOfAllowedLocations')]"
      },
      {
        "field": "location",
        "notEquals": "global"
      },
      {
        "field": "type",
        "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}

There must be a value inside this element notIn": "[parameters('listOfAllowedLocations')]" but where exactly I can find to adjust?

Hi guys,

I've created the policy definition and assigned to my VS Pro subscription.
However, I am still able to create a Resource Group without fail.
I have tried changed the resource type from "Microsoft.Resources/subscriptions/resourceGroups" to "Microsoft.Resources/resourceGroups" wondering if it was an issue with that. But that didn't work either.

Wondering if I'm missing something?

Cheers,
Tim

Scenario: we are checking compliance with following security requirement: To connect to Azure SQL from outside of VNETs the usage of SQL Gateway is mandatory
Definition: TBD

To ensure my web app to use mutual client authentication which is considered a security practice, I'd like to audit clientCertEnabled. Below is the sample definition

{
  "policyRule":{
    "if":{
      "allOf":[
        {
          "field":"type",
          "equals":"Microsoft.Web/sites/config"
        },
        {
          "field":"Microsoft.Web/sites/config/clientCertEnabled",
          "equals":"true"
        }
        ]},
        "then":
        {
          "effect":"audit"
        }},
        "parameter":{},
        "metadata":{
          "category":"Web App Security"
        }
} 

Scenario: we are checking compliance with following security requirement: Enable failure auditing for Azure SQL logins and access
Definition: TBD

Scenario: we are checking compliance with following security requirement: Use subnet NSGs to make sure that ports allowed must match load balancer listener
Definition: TBD

{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HDInsight/clusters"
},
{
"not": {
"field": "Microsoft.HDInsight/clusters/properties/securityProfile.domain",
"equals": "dummy ad"
}
},
{
"not": {
"field": "Microsoft.HDInsight/clusters/properties/securityProfile.ldapUrls",
"equals": "dummy ldap"
}
}

            ]
        },
        "then": {
            "effect": "audit"
        }
    }
}

{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HDInsight/clusters"
},
{
"not": {
"field": "Microsoft.HDInsight/clusters/properties/virtualNetworkProfile.id",
"equals": "3435"
}
}
]
},
"then": {
"effect": "audit"
}
}
}

Audit AAD SQL user for Admin.

As far as my understanding, when Azure Policy scans, events are recorded and displayed in Events tab. But from what I've noticed, there is no event shown.

What does exactly Event mean? The tooltip seems to show a hint but still not to be clear (Events are recorded when policy effect is exercised after resource evaluation).

Scenario: we are checking compliance with following security requirement: Use subnet NSGs to make sure that ports allowed must match load balancer listener
Definition: TBD

Scenario: we are checking compliance with following security requirement: " Allow All services" should be set to off in Azure SQL Firewall
Definition: TBD

Scenario: we are checking compliance with following security requirement: To connect to Azure SQL from VNETs the use of SQL endpoint is mandatory
Definition: TBD

Scenario
Use Azure policy to validate SKUs on Azure IoT Hub services.

Rule

{
	"if": {
		"allOf": [
			{
				"field": "type",
				"equals": "Microsoft.Devices/IotHubs"
			},
			{
				"not": {
                    "field": "Microsoft.Devices/IotHubs/sku.name",
                    "in": "[parameters('listOfSKUId')]"
				}
			}
		]
	},
	"then": {
		"effect": "deny"
	}
}

• Scenario
  Permit to check that webapp have http 2.0 Enabled

• Definition

{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites/config"
},
{
"field": "Microsoft.Web/sites/config/http20Enabled",
"equals": "true"
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {},
"metadata": {
"category": "x_CustomPolicy"
}
}

• Scenario
  Permit to check that webapp are secure by using only TLS 1.2

• Definition

{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites/config"
},
{
"field": "Microsoft.Web/sites/config/minTlsVersion",
"equals": "1.2"
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {},
"metadata": {
"category": "x_CustomPolicy"
}
}

Scenario: we are checking compliance with following security requirement: Enable failure auditing for Azure SQL logins and access
Definition: TBD

** Scenario **

Need to use Azure Policy to ensure all subscriptions in a Management Group are using standard tier of Security Center

** Definition **

{
"policyRule": {
"if": {
"not": {
"field": "Microsoft.Security/complianceResults/pricings",
"equals": "Standard"
}
},
"then": {
"effect": "deny"
}
}
}

Scenario

Disable TLS 1.0 & FrontEndSSLCipherSuiteOrder on App Service Environment.

customers who are dealing with PCI compliance audits, is how to explicitly disable TLS 1.0 for their apps.

This policy will provide required governance assurance to deny ASE createion with TLS 1.0 enabled

Definition

I am not sure how properties settings will surface in policy definition as this is KV pair under properties.

"resources": [
{
   "apiVersion": "2015-08-01",
   "type": "Microsoft.Web/hostingEnvironments",
   "name": ...,
   "location": ...,
   "properties": {
      "clusterSettings": [
         {
                         "name": "DisableTls1.0",
                         "value": "1"

         }
      ],
      "workerPools": [ ...],
      etc...
   }
}


'''

Scenario
Use Azure Policy to check/enforce the WAF firewall mode.
Definition
{
"properties": {
"displayName": "Allowed Application Gateway WAF Mode",
"description": "This policy enables you to detect if the WAF is in detection or prevention mode.",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/applicationGateways"
},
{
"not": {
"field": "Microsoft.Network/applicationGateways/webApplicationFirewallConfiguration.firewallMode",
"equals": "Prevention"
}
}
]
},
"then": {
"effect": "Deny"
}
}
}
}

Scenario: we are checking compliance with following security requirement: "Azure Storage Accounts must not grant unrestricted access to all networks including Internet"
Definition: TBD

I am using the examples to create a policy initiative, and then assign this to a subscription. Upon doing so, I am able to view the configuration using Powershell, however, when viewing in the portal, you get a 'broken' Azure blade (Dark cloud with raindrop). If I create the same assignment via the portal, this works fine. I can see that by using powershell, there are some properties missing - i.e. metadata, and notScopes (the latter is actually an array with a count of zero in the configuration via the portal)

Any ideas why this might be?

Scenario : Allow Provisioning of HDInsight Cluster which supports Secure data transfer (https). HDInsight with version 3.6 or newer only supports secured https connection with storage accounts.

Definition:
{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.HDInsight/clusters"
},
{
"not": {
"field": "Microsoft.HDInsight/clusters/properties.clusterVersion",
"equals": "3.6.1000.0"
}
}
]
},
"then": {
"effect": "audit"
}
}
}

Hi,

Actualy it's possible to see "NON-COMPLIANT RESOURCES" but we can't see wich one is compliant.
With this feature, we will be able to see if the policy is working correctly or not.

Thanks.

Scenario: we are checking compliance with following security requirement: Enable failure auditing for Azure SQL logins and access
Definition: TBD

As an example, I would like to create a policy for NSGs that would require/audit for specific rules.

Scenario

There is a scenario in which controlled virtual machines should not have any Public IP addresses associated with its relatively NICs.

Definition

{
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Network/networkInterfaces"
        },
        {
          "not": {
            "field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id",
            "exists": false
          }
        },
        {
            "field":"type",
            "equals": "Microsoft.Compute/virtualMachine/networkProfile[*].networkInterfaces.id"
        }
      ]
    },
    "then": {
      "effect": "audit"
    }
  }

Remark

Currently Azure Policy supports listing out all NICs with PIP (Public IP) but I'd love to know which non-compliant VMs are in place.

[Update] I also tested with NIC field`` as follows:

        {
            "not":{
            "field":"Microsoft.Compute/virtualMachines/networkInterfaces[*].id",
            "exists": false
            }
        }

But it seems like the result is not going to be out as expected (displaying non-compliant VMs)

@pilor

Scenario
Use Azure Policy to audit the existence of any disabled OWASP rule groups. This may require the addition of a count property to query if there are any items in the collection, as I think the property will always exist regardless of its contents.
Definition

{
  "properties": {
    "displayName": "Disabled Application Gateway WAF Rules",
    "description": "This policy allows you to detect if any of the OWASP rule sets used in the WAF are disabled.",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/applicationGateways"
          },
          {
            "field": "Microsoft.Network/applicationGateways/webApplicationFirewallConfiguration.disabledRuleGroups",
            "exists": "true"
          }
        ]
      },
      "then": {
        "effect": "Audit"
      }
    }
  }
}

Scenario: we are checking compliance with following security requirement: VNET peering must not be enabled or enabled only between owned/approved VNETs
Definition TBD

Scenario: force application of a default Application Security Group to a VM NIC.
Definition:
{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "enforce-asg-on-nic-test",
"properties": {
"displayName": "ASG X on every nic",
"description": "This policy enforces a specific app security group on every virtual network interface",
"parameters": {
"asgId": {
"type": "string",
"metadata": {
"description": "Resource Id of the App Security Group",
"displayName": "App Security Group Id",
"strongType": "appsecuritygroup"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkInterfaces"
},
{
"not": {
"field": "Microsoft.Network/networkInterfaces/networkSecurityGroup.IpConfigurations[0].ApplicationSecurityGroups.Id",
"equals": "[parameters('asgId')]"
}
}
]
},
"then": {
"effect": "append",
"details": [
{
"field": "Microsoft.Network/networkInterfaces/networkSecurityGroup.IpConfigurations[0].ApplicationSecurityGroups.Id",
"value": "[parameters('asgId')]"
}
]
}
}
}
}

It would be good if compliance result could be exported to Azure Log Analytics so we can query & visualize when needed.

Scenario
Use Azure Policy to validate that the WAF is enabled should the SKU allow it.
Definition

{
  "properties": {
    "displayName": "Allowed Application Gateway WAF Configuration",
    "description": "This policy enables you to specify whether the WAF is enabled.",
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/applicationGateways"
          },
          {
            "not": {
              "field": "Microsoft.Network/applicationGateways/sku.name",
              "equals": "Standard"
            }
          },
          {
            "not": {
              "field": "Microsoft.Network/applicationGateways/webApplicationFirewallConfiguration.enabled",
              "equals": "true"
            }
          }
        ]
      },
      "then": {
        "effect": "Deny"
      }
    }
  }
}

{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"not": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
"contains": "[parameters('Exceptions')]"
}
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {
"Exceptions": {
"type": "String",
"metadata": {
"displayName": "Exceptions",
"description": "Exceptions"
}
}
},
"metadata": {}
}

Like other Azure services, Access Control (IAM) should be in place to see who have rights to read and create policy. It'd be good for policy access control so nobody can edit and modify policy without rights.

Scenario: we are checking compliance with following security requirement: "Azure Storage Accounts must not grant unrestricted access to all networks including Internet"
Definition: TBD

I would like to be able to control the specifics of the plan that web apps are using. I couldn't find an existing aliases for Microsoft.Web/serverfarms which will allow for that.

https://docs.microsoft.com/en-us/azure/templates/microsoft.web/serverfarms

I think that the sku property is the main one that is missing.

Hi,

I am trying to create policies for SQL Server /db resources where auditing/TDE/threat detection is not enabled. I am using the definition provided ate below url and only changing the effect from auditIfNotExists to deny, but it's not working as per the compliance screen(it shows correctly configured db's also as non-compliante). We have the elastic pool setup configured in our db's.

Please suggest how to apply deny policy for db's/servers which are not configured for auditing/TDE/threat detection?

policy deifnition for tde;

{
  "if": {
    "field": "type",
    "equals": "Microsoft.SQL/servers/databases"
  },
  "then": {
    "effect": "deny",
    "details": {
      "type": "Microsoft.SQL/servers/databases/transparentDataEncryption",
      "name": "current",
      "existenceCondition": {
        "field": "Microsoft.Sql/transparentDataEncryption.status",
        "equals": "Disabled" //I tried enabled too
      }
    }
  }
}

Thanks

To ensure confidentiality, I'd like to audit https enablement on my web app which can be found in httpsOnly. Below is the sample definition

{
  "policyRule":{
    "if":{
      "allOf":[
        {
          "field":"type",
          "equals":"Microsoft.Web/sites/config"
        },
        {
          "field":"Microsoft.Web/sites/config/httpsOnly",
          "equals":"true"
        }
        ]},
        "then":
        {
          "effect":"audit"
        }},
        "parameter":{},
        "metadata":{
          "category":"Web App Security"
        }
} 

Scenario: we are checking compliance with following security requirement: Enable failure auditing for Azure SQL logins and access
Definition: TBD

Hi,

FTE here, feel free to reach out. Wanted to provide some general feedback as well as some feedback/raise an issue specific to the Enforcing AHUB policy.

I tested the Enforce AHUB policy in a subscription of mine and ran into an issue where Linux distros could no longer be deployed as they do not have the Microsoft.Compute/LicenseType attribute. My understanding is that Microsoft.Compute/LicenseType will return $null, and $null IS in fact not equal to "Windows_Server" which will register as $true and deny the build. I see a few way to get around this, 1) adding a condition that Microsoft.Compute/LicenseType notequals $null, or 2) adding some logic to ensure the ImageOffer is also "WindowsServer" or "WindowsServerSemiAnnual. These aren't fully flushed out, as certain offer types, like Nano server are contained, but don't offer AHUB. I've attached a work around that I use, however I manually checked which Microsoft Published Offers/Skus had AHUB available. Hoping I can get help vetting and testing a more flushed out solution that doesn't block Linux VMs.

As for general feedback, Azure Policy is a super powerful tool, but more documentation and PowerShell options would be really helpful here. It seems like there is a bit of overlap in Aliases within policy, e.g. Microsoft.Compute/imageSku & Microsoft.Compute/virtualMachines/imageSku. Mapping the aliases to REST API attributes might be helpful. This led to some of my confusion with modifying the sample AHUB template. Also would be useful to provide some cmdlets regarding policy initiatives, as I only see the option to create these in the Portal. Would be happy to help in this effort in any way possible or answer/ask additional questions.

sampleAHUBDeny.txt

Scenario

Would like to be able to create policies based on subnet address prefixes.
For example see below:

Definition

{
    "type": "Microsoft.Authorization/policyDefinitions",
    "name": "disallow-subnet-address-prefix",
    "properties": {
        "displayName": "Disallow certain subnet address prefixes",
        "description": "This policy disallows specified address prefixes",
        "parameters": {
            "addrPrefix": {
                "type": "String",
                "metadata": {
                    "description": "Subnet Address Prefix",
                    "displayName": "AddressPrefix"
                }
            }
        },
        "policyRule": {
            "if": {
                "anyOf": [
                    {
                        "allOf": [
                            {
                                "field": "type",
                                "equals": "Microsoft.Network/virtualNetworks/subnets"
                            },
                            {
                                "not": {
                                    "field": "Microsoft.Network/virtualNetworks/subnets/addressPrefix",
                                    "like": "[parameters('addrPrefix')]"
                                }
                            }
                        ]
                    }
                ]
            },
            "then": {
                "effect": "deny"
            }
        }
    }
}

• Scenario
  Permit to check that webapp are correctly compliant with IP restrictions, for allow only IP Adress allowed
• Definition

{
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites/config"
},
{
"field": "Microsoft.Web/sites/config/siteAuthEnabled",
"in": ["1.2.3.4,1.2.3.5"]
}
]
},
"then": {
"effect": "audit"
}
},
"parameters": {},
"metadata": {
"category": "x_CustomPolicy"
}
}

Saying that I would like to allow a few subnets with public IP addresses similar to the following example

{
	"if": {
		"allOf": [
			{
				"field": "type",
				"equals": "Microsoft.Network/networkInterfaces"
			},
			{
				"not": {
					"field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id",
					"exists": false
				}
			},
			{
				"not": {
					"field": "Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id",
					"in": "[parameters('subnetIds')]"
				}
			}
		]
	},
	"then": {
		"effect": "deny"
	}
}

Is there a backlog that Microsoft supports adding whitelist directly in my JSON definition? It is similar to strongType location which allows me to do as follows:

      {
        "field": "location",
        "notIn": [
          "southeastasia"
          "westeurope",
        ]
      },

@pilor

I've realized that the policy scan activities are not transparent and almost time I have nothing to know if a scan or batch of scan is done and when.

Moreover, if I change my condition in policy definition and click Save, when does the assignment get triggered? Is it an immediate trigger?

Scenario: we are checking compliance with following security requirement: "Azure Storage Accounts must not grant unrestricted access to all networks including Internet"
Definition: TBD

Scenario
Need to use Azure Policy to audit empty Network Security Groups. NSGs that are not associated with any Interface or Subnet.

Alias:
Microsoft.Network/networkSecurityGroups/subnets[].id
Microsoft.Network/networkSecurityGroups/subnets/id
Microsoft.Network/networkSecurityGroups/networkinterfaces[].id
Microsoft.Network/networkSecurityGroups/networkinterfaces/id

** Definition **

{
"type": "Microsoft.Authorization/policyDefinitions",
"name": "audit-empty-nsg",
"properties": {
"displayName": "Check if the NSG is empty",
"description": "This policy will audit any empty NSG.",
"parameters": {
"subnetsId": {
"type": "String",
"metadata": {
"description": "Resource Id of the Subnet",
"displayName": "NSG Id"
}
},
"interfacesId": {
"type": "String",
"metadata": {
"description": "Resource Id of the Interface",
"displayName": "NSG Id"
}
}
},
"policyRule": {
"if": {
"anyOf": [
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/subnets[].id",
"equals": "[parameters('subnetsId')]"
}
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/subnets"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/subnets/id",
"equals": "[parameters('subnetsId')]"
}
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/networkinterfaces[].id",
"equals": "[parameters('interfacesId')]"
}
}
]
},
{
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/networkinterfaces"
},
{
"not": {
"field": "Microsoft.Network/networkSecurityGroups/networkinterfaces/id",
"equals": "[parameters('interfacesId')]"
}
}
]
}
]
},
"then": {
"effect": "audit"
}
}
}
}