search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.73k stars 979 forks source link

Feature Request - Move Enforce-EncryptTransit to higher scope #1560

Open vegazbabz opened 9 months ago

vegazbabz commented 9 months ago

Consider moving “Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit" (Enforce-EncryptTransit) from Landing Zone MG to intermediate root group. The resources under Platform MG should also use TLS.

From a security perspective, it does not make sense to only “protect” workloads in LZ MG. Organizations potentially have PaaS services in the Platform MG as well that should also use TLS v1.2 (v1.3). If not, no harm done by applying this policy to a higher scope. Better safe than sorry.

jtracey93 commented 9 months ago

Hey @vegazbabz, so we are actually saying here to make a duplicate assignment of this policy to platform MG as well, as we dont want this on decom or sandbox?

cc: @Springstone

mundayn commented 9 months ago

Chiming in as I subscribe to the notifications, I would want this to cover all scopes.

You don't want users sandboxing insecure designs.

But as long as Platform is covered, I think that would be a good enhancement with the duplicate assignment.

vegazbabz commented 9 months ago

Hey @vegazbabz, so we are actually saying here to make a duplicate assignment of this policy to platform MG as well, as we dont want this on decom or sandbox?

cc: @Springstone

I think this should be applicable to the whole intermediate root group scope. It does not make sense from a security PoV to allow TLSv1.0 or 1.1. It is so insecure... Even for sandboxes. Yes, it is a sandbox, but there is no valid argument for not using v1.2. Should there be some legacy edge case, then a policy exemption can be made.

Springstone commented 9 months ago

@vegazbabz @mundayn I fully appreciate your points of view and tend to agree. There isn't a good reason to exempt areas of the estate from this fundamental security practice, and for those legacy environments that don't support TLSv1.2, there is the option to exempt. ALZ team will review your valid suggestion, and feedback asap.

steph409 commented 4 months ago

what about the idea to add this initiative to the platform management group as well? many policies are now applied twice, at landing-zone management group and at platform management group, this could be one of them.