search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.69k stars 964 forks source link

Feature Request - add scope and guidelines for DenyAction policies #1540

Closed vegazbabz closed 3 months ago

vegazbabz commented 8 months ago

While you announced the DenyAction policies in September 2023 (Announced here in what's new), there are no clear guidelines or recommendations around them.

These 2 DenyAction policies are not found in the policy list, hence, there are no guidelines or recommendations on what scope to have them, etc. Basically, orphan policies in the repo as they are not linked to a management group.

Policies: https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-ActivityLogs.html https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-DiagnosticLogs.html

Found in: https://www.azadvertizer.net/azpolicyinitiativesadvertizer/DenyAction-DeleteProtection.html

Given that they relate to the policies assigned to Intermediate Root, I believe they should be added under that section. Policies related to DenyAction policies:

jtracey93 commented 8 months ago

Thanks @vegazbabz

For the policy enhancement suggestions here, we will triage and come back to you with any further questions or clarity we may have or require and let you know an outcome.

If you haven't already checkout our new GitHub Issue Form for taking in new ALZ Policy Requests

Thanks - the ALZ Team

Springstone commented 7 months ago

@vegazbabz To clarify, our policy list, covers policies assigned by default by ALZ. These additional custom policies have been provided as examples on how to use this for your purposes in your environment as called out in https://github.com/Azure/Enterprise-Scale/wiki/Whats-new#september-2023. We will be sharing more custom policies that we do not assign by default, because we think they are of value to customers, and share them as they may help with important customer governance objectives. To your point, we should provide clearer documentation on why we include those policies and will add that to the backlog for enhancement.

Springstone commented 3 months ago

Closing as this topic is about example policies, and we've improved documentation accordingly. We now have a real use case for denyaction deployed and assigned by default.

The intent is not to educate in this repo. At best provide examples of new capabilities, and where it makes sense we'll implement them (like the deny delete of UAMI currently published).