Closed vegazbabz closed 3 months ago
Thanks @vegazbabz
For the policy enhancement suggestions here, we will triage and come back to you with any further questions or clarity we may have or require and let you know an outcome.
If you haven't already checkout our new GitHub Issue Form for taking in new ALZ Policy Requests
Thanks - the ALZ Team
@vegazbabz To clarify, our policy list, covers policies assigned by default by ALZ. These additional custom policies have been provided as examples on how to use this for your purposes in your environment as called out in https://github.com/Azure/Enterprise-Scale/wiki/Whats-new#september-2023. We will be sharing more custom policies that we do not assign by default, because we think they are of value to customers, and share them as they may help with important customer governance objectives. To your point, we should provide clearer documentation on why we include those policies and will add that to the backlog for enhancement.
Closing as this topic is about example policies, and we've improved documentation accordingly. We now have a real use case for denyaction deployed and assigned by default.
The intent is not to educate in this repo. At best provide examples of new capabilities, and where it makes sense we'll implement them (like the deny delete of UAMI currently published).
While you announced the DenyAction policies in September 2023 (Announced here in what's new), there are no clear guidelines or recommendations around them.
These 2 DenyAction policies are not found in the policy list, hence, there are no guidelines or recommendations on what scope to have them, etc. Basically, orphan policies in the repo as they are not linked to a management group.
Policies: https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-ActivityLogs.html https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-DiagnosticLogs.html
Found in: https://www.azadvertizer.net/azpolicyinitiativesadvertizer/DenyAction-DeleteProtection.html
Given that they relate to the policies assigned to Intermediate Root, I believe they should be added under that section. Policies related to DenyAction policies: