ccmsft
commented
2 years ago Goals
- Incorporate the Guardrails Solution Accelerator findings into Microsoft Defender for Cloud.
- Ideally, by creating a policy initiative (policySet) which contains the guardrails.
Background
Limitations of Azure Policy
From the Azure Policy docs:
Azure Policy evaluates resources in Azure by comparing the properties of those resources to business rules.
This presents a challenge for evaluating things that aren't Azure resources.
Custom Assessments
There are, despite the quote above, checks within Azure Policy that don't pertain to resources e.g., MFA should be enabled accounts with write permissions on your subscription. This is accomplished by the use of the Microsoft.Security/assessments resource type. These are very customizable, and can be referenced in Azure Policy.
To create an assessment, we first create an assessment metadata resource which defines the assessment criteria, remediation description, etc. Then, we create an assessment using the name/uuid of our assessment metadata, specifying the assessed resource and the status of the assessment.
Proposed Solution
- Create a series of assessment resources (metadata and assessments) which map directly to the guardrails.
- Create an Azure Policy initiative containing all of the guardrails.
- Assign the policy initiative to the Tenant Root Group.
- Add the custom initiative within Microsoft Defender for Cloud.
- Within the Guardrails Solution Accelerator, update the assessments when each scan completes.
- Reference Recommendations and Regulatory Compliance within Microsoft Defender for Cloud.
github-actions[bot]
SenthuranSivananthan
Dependent on https://github.com/Azure/GuardrailsSolutionAccelerator publishing custom assessment to Microsoft Defender for Cloud.