search

Azure / Enterprise-Scale

The Azure Landing Zones (Enterprise-Scale) architecture provides prescriptive guidance coupled with Azure best practices, and it follows design principles across the critical design areas for organizations to define their Azure architecture
https://aka.ms/alz
MIT License
1.69k stars 958 forks source link

Deploy-Sql-SecurityAlertPolicies - Doesn't Allow E-Mail Addresses To Be Provided As An Input #695

Closed jtracey93 closed 1 year ago

jtracey93 commented 3 years ago

Describe the bug Deploy-Sql-SecurityAlertPolicies - Doesn't Allow E-Mail Addresses To Be Provided As An Input. It currently has a hard-coded value. (check line 9456 in policies.json)

Screenshot image

Proposed Fix Needs to be changed to an array input parameter and also added to the initiative definition of Deploy-Sql-Security as an input parameter.

krowlandson commented 2 years ago

The additional missing settings regarding storage are also a little odd given we configure these in the Deploy-Sql-VulnerabilityAssessments Policy Definition.

Given we don't have this Policy Definition linked to a Policy Assignment (either directly or via the Deploy-Sql-Security Policy Initiative referencing it), is this and its related policies still needed? What was the reason for removing them?

Any insights please @krnese and @uday31in? Were these removed as not production-ready, or just deemed no longer necessary? I see we have similar built-in policies, but these only cover the AuditIfNotExists effect.

I've also found in testing that the Deploy-Sql-Tde Policy Definition generates the following error during remediation, so this will also require modification of the policyRule to exclude these databases:

Cannot encrypt a system database. Database encryption operations cannot be performed for 'master', 'model', 'tempdb', 'msdb', or 'resource' databases.

image

jtracey93 commented 2 years ago

Trigger ADO Sync 1

jtracey93 commented 2 years ago

Trigger ADO Sync 2