Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Feature Request - add scope and guidelines for DenyAction policies

Open vegazbabz opened this issue 2 years ago • 2 comments

While you announced the DenyAction policies in September 2023 (Announced here in what's new), there are no clear guidelines or recommendations around them.

These 2 DenyAction policies are not found in the policy list, hence, there are no guidelines or recommendations on what scope to have them, etc. Basically, orphan policies in the repo as they are not linked to a management group.

Policies: https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-ActivityLogs.html https://www.azadvertizer.net/azpolicyadvertizer/DenyAction-DiagnosticLogs.html

Found in: https://www.azadvertizer.net/azpolicyinitiativesadvertizer/DenyAction-DeleteProtection.html

  • Consider adding something similar to the initiative: https://www.azadvertizer.net/azpolicyadvertizer/3f83c643-7c61-47f0-9717-47fa562d9fa3.html (Custom)

Given that they relate to the policies assigned to Intermediate Root, I believe they should be added under that section. Policies related to DenyAction policies:

  • Deploy Diagnostic Settings to Azure Services
  • Configure Azure Activity logs to stream to specified Log Analytics workspace

vegazbabz avatar Jan 26 '24 23:01 vegazbabz

Thanks @vegazbabz

For the policy enhancement suggestions here, we will triage and come back to you with any further questions or clarity we may have or require and let you know an outcome.

If you haven't already checkout our new GitHub Issue Form for taking in new ALZ Policy Requests

Thanks - the ALZ Team

jtracey93 avatar Jan 31 '24 19:01 jtracey93

@vegazbabz To clarify, our policy list, covers policies assigned by default by ALZ. These additional custom policies have been provided as examples on how to use this for your purposes in your environment as called out in https://github.com/Azure/Enterprise-Scale/wiki/Whats-new#september-2023. We will be sharing more custom policies that we do not assign by default, because we think they are of value to customers, and share them as they may help with important customer governance objectives. To your point, we should provide clearer documentation on why we include those policies and will add that to the backlog for enhancement.

Springstone avatar Feb 14 '24 19:02 Springstone

Closing as this topic is about example policies, and we've improved documentation accordingly. We now have a real use case for denyaction deployed and assigned by default.

The intent is not to educate in this repo. At best provide examples of new capabilities, and where it makes sense we'll implement them (like the deny delete of UAMI currently published).

Springstone avatar Jun 08 '24 16:06 Springstone