Denyactionpr (#1406)

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Azure · Sep 18, 2023 · bc80050 · bc80050
1 parent bc067a2
commit bc80050
Show file tree

Hide file tree

Showing 7 changed files with 203 additions and 78 deletions.
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -48,6 +48,9 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Updated to the new [Configure Microsoft Defender for Storage to be enabled](https://www.azadvertizer.com/azpolicyadvertizer/cfdc5972-75b3-4418-8ae1-7f5c36839390.html) built-in policy to the `Deploy-MDFC-Config` initiative and assignment.
   - Read more about the new Microsoft Defender for Storage here: [aka.ms//DefenderForStorage](https://aka.ms//DefenderForStorage).
   - NOTE: there are additional cost considerations associated with this feature - [more info](https://learn.microsoft.com/azure/defender-for-cloud/defender-for-storage-introduction#malware-scanning-powered-by-microsoft-defender-antivirus).
+- Added two new definitions with Deny Action feature:
+  - `DenyAction-ActivityLogSettings.json`
+  - `DenyAction-DiagnosticSettings.json`
 
 ### July 2023
 

diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
diff --git a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.20.4.51522",
-      "templateHash": "11768655431175792812"
+      "version": "0.21.1.54444",
+      "templateHash": "7093918517635612324"
     }
   },
   "variables": {

diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings.json
@@ -0,0 +1,38 @@
+{
+    "name": "DenyAction-ActivityLogs",
+    "type": "Microsoft.Authorization/policyDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "policyType": "Custom",
+        "mode": "Indexed",
+        "displayName": "DenyAction implementation on Activity Logs",
+        "description": "This is a DenyAction implementation policy on Activity Logs.",
+        "metadata": {
+            "deprecated": false,            
+            "version": "1.0.0",
+            "category": "Monitoring",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+                "AzureCloud",
+                "AzureChinaCloud",
+                "AzureUSGovernment"
+            ]
+        },
+        "parameters": {},
+        "policyRule": {
+            "if": {
+                "field": "type",
+                "equals": "Microsoft.Resources/subscriptions/providers/diagnosticSettings"
+            },
+            "then": {
+                "effect": "denyAction",
+                "details": {
+                    "actionNames": [
+                        "delete"
+                    ]
+                }
+            }
+        }
+    }
+}
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings.json b/src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings.json
@@ -0,0 +1,38 @@
+{
+    "name": "DenyAction-DiagnosticLogs",
+    "type": "Microsoft.Authorization/policyDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "policyType": "Custom",
+        "mode": "Indexed",
+        "displayName": "DenyAction implementation on Diagnostic Logs.",
+        "description": "DenyAction implementation on Diagnostic Logs.",
+        "metadata": {
+            "deprecated": false,
+            "version": "1.0.0",
+            "category": "Monitoring",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+                "AzureCloud",
+                "AzureChinaCloud",
+                "AzureUSGovernment"
+            ]
+        },
+        "parameters": {},
+        "policyRule": {
+            "if": {
+                "field": "type",
+                "equals": "Microsoft.Insights/diagnosticSettings"
+            },
+            "then": {
+                "effect": "denyAction",
+                "details": {
+                    "actionNames": [
+                        "delete"
+                    ]
+                }
+            }
+        }
+    }
+}
diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json b/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json
@@ -0,0 +1,37 @@
+{
+    "name": "DenyAction-DeleteProtection",
+    "type": "Microsoft.Authorization/policySetDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,
+    "properties": {
+        "policyType": "Custom",
+        "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings",
+        "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.",
+        "metadata": {
+            "version": "1.0.0",
+            "category": "Monitoring",
+            "source": "https://github.com/Azure/Enterprise-Scale/",
+            "alzCloudEnvironments": [
+                "AzureCloud",
+                "AzureChinaCloud",
+                "AzureUSGovernment"
+            ]
+        },
+        "parameters": {},
+        "policyDefinitions": [
+            {
+                "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings",
+                "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings",
+                "parameters": {},
+                "groupNames": []
+            },
+            {
+                "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings",
+                "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings",
+                "parameters": {},
+                "groupNames": []
+            }
+        ],
+        "policyDefinitionGroups": null
+    }
+}
diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep
@@ -177,6 +177,8 @@ var loadPolicyDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Windows-DomainJoin.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkPrivateDnsZones.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticSettings.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogSettings.json')
   ]
   AzureCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment
@@ -224,6 +226,7 @@ var loadPolicySetDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json')
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json')
+    loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json')
   ]
   AzureCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json') // See AzureChinaCloud and AzureUSGovernment comments below for reasoning