Open alperkar opened 6 months ago
Springstone
commented
6 months ago Hi @achechen, thanks again for raising you issues and concerns here! We're busy packaging the next policy refresh, which is large and contains many updates including to that particular initiative. Can I ask we review this in a week or so? If the policy doesn't have a Deny, you can override this in the assignment, as a workaround.
s4parke
commented
5 months ago The Policy's effect parameter has allowedValues of AuditIfNotExists and Disabled, so it can be changed in the Initiative or Assignment parameters without an override.
Trying to override an AuditIfNotExists Policy with the Deny effect should generate an
error and prevent the update. Otherwise, the existenceCondition will not evaluated and all APIM resources matching the if condition would be denied!
The corresponding APIM enforcement policy below has a DeployIfNotExists effect and so it would probably be in different initiative named Deploy-:
Configure API Management services to disable access to API Management public service configuration endpoints (7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2)
Many thanks for all the excellent work.
Springstone
commented
5 months ago @achechen and @s4parke as part of the policy refresh just released, we have a new set of policies and initiatives that can help further secure workload specific features like for APIM (under "Workload Specific Compliance" in the portal accelerator). The DINE policy you mention above is included for API Management specifically.
We'll review if we should remove the AuditIfNotExists policy from the overall infra initiative.
s4parke
commented
5 months ago I noticed most of the latest enforcing policies don't have an AINE effect, but they still are really useful in AINE mode. For example, "Configure Defender for Cloud CSPM Plan" has parameters for all the sub-pricings.
My workaround has been to add them to a separate Initiative and either Assign with Enforcement mode=Off or not enable the SAMI roles.
The override effect in the Assignment would be sweet, but it only works if AINE is already one of the AllowedValues in the Effect Parameter for that policy definition. So it's DINE or Disabled there.
But maybe it's possible to create an Initiative Parameter called "Effect" and tell the Policy to use that instead of its own "Effect" param in the Initiative Definition. That's something to try.
Thanks for all the great work on Policy, it's the best free lunch in cloud security right now.
API Management should disable public network access to the service configuration endpoints policy (/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd), which is a part of Deny-PublicPaaSEndpoints initiative does not have deny effect. It should be either removed from the initiative or deny effect should be added to the built in policy.