Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement custom policy set on GC Cloud Guardrails assessment #326

Open
skeeler opened this issue Jul 11, 2022 · 3 comments
Open

Implement custom policy set on GC Cloud Guardrails assessment #326

skeeler opened this issue Jul 11, 2022 · 3 comments
Labels
blocked enhancement New feature or request

Comments

@skeeler
Copy link
Contributor

skeeler commented Jul 11, 2022

Dependent on https://github.com/Azure/GuardrailsSolutionAccelerator publishing custom assessment to Microsoft Defender for Cloud.
@skeeler skeeler added the enhancement New feature or request label Jul 11, 2022
@ccmsft
Copy link
Contributor

ccmsft commented Jul 15, 2022

Goals

Background

Limitations of Azure Policy

From the Azure Policy docs:

Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules.

This presents a challenge for evaluating things that aren't Azure resources.

Custom Assessments

There are, despite the quote above, checks within Azure Policy that don't pertain to resources e.g., MFA should be enabled accounts with write permissions on your subscription. This is accomplished by the use of the Microsoft.Security/assessments resource type. These are very customizable, and can be referenced in Azure Policy.

To create an assessment, we first create an assessment metadata resource which defines the assessment criteria, remediation description, etc. Then, we create an assessment using the name/uuid of our assessment metadata, specifying the assessed resource and the status of the assessment.

Proposed Solution

  1. Create a series of assessment resources (metadata and assessments) which map directly to the guardrails.
  2. Create an Azure Policy initiative containing all of the guardrails.
  3. Assign the policy initiative to the Tenant Root Group.
  4. Add the custom initiative within Microsoft Defender for Cloud.
  5. Within the Guardrails Solution Accelerator, update the assessments when each scan completes.
  6. Reference Recommendations and Regulatory Compliance within Microsoft Defender for Cloud.

@github-actions
Copy link

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 7 days.

@github-actions github-actions bot added the stale label Oct 14, 2022
@SenthuranSivananthan
Copy link
Contributor

Removed stale tag. Marking as blocked until upstream work is completed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@skeeler @SenthuranSivananthan @ccmsft