search

Azure / azure-policy

Repository for Azure Resource Policy built-in definitions and samples
MIT License
1.47k stars 1.07k forks source link

HIPAA_HITRUST_audit : networkSecurityGroupsOnSubnetsMonitoring #1192

Open AZMadeEZ opened 11 months ago

AZMadeEZ commented 11 months ago

Details of the scenario you tried and the problem that is occurring

The policy used in the HIPAA HiTrust policy set references a security assessment that is no longer used, and will always show false instead of looking at the configuration of the resource. Line 8056 of https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/HIPAA_HITRUST_audit.json references the policy /providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517 which no longer works.

Verbose logs showing the problem

"policyRule": {
  "if": {
    "field": "type",
    "equals": "Microsoft.Network/virtualNetworks/subnets"
  },
  "then": {
    "effect": "[parameters('effect')]",
    "details": {
      "type": "Microsoft.Security/assessments",
      "name": "eade5b56-eefd-444f-95c8-23f29e5d93cb",
      "existenceCondition": {
        "field": "Microsoft.Security/assessments/status.code",
        "in": [
          "NotApplicable",
          "Healthy"
        ]
      }
    }

Suggested solution to the issue

replace this with a policy that references the configuration of the subnet having a network security group rather than a security assessment.

If policy is Guest Configuration - details about target node

s4parke commented 2 weeks ago

+1, I am trying to find the policy rules used by this Assessment and it is not clear where those policy rules can be found.

For example, does the Assessment used by this Policy Definition mirror the ALZ policy definition convention which excludes Subnets named ["GatewaySubnet","AzureFirewallSubnet","AzureFirewallManagementSubnet"]?