diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index eb0430858..1c32a91c0 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "10156023147744075921" + "templateHash": "1118457920660514703" } }, "parameters": { @@ -4621,7 +4621,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "5910850021434301527" + "templateHash": "998933596067649007" } }, "parameters": { @@ -4632,13 +4632,6 @@ "description": "Turn automatic deployment by ASC of the MMA (OMS VM extension) on or off" } }, - "enableSecuritySettings": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Turn security policy settings On or Off." - } - }, "logAnalyticsWorkspaceId": { "type": "string", "metadata": { @@ -4650,12 +4643,18 @@ "metadata": { "description": "Email address of the contact, in the form of john@doe.com" } + }, + "policySetDescription": { + "type": "string", + "defaultValue": "The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.", + "metadata": { + "description": "Policy Initiative description field" + } } }, "variables": { "bundle": "[if(not(equals(environment().name, 'AzureUSGovernment')), createArray('KeyVaults', 'SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'SqlServerVirtualMachines', 'AppServices', 'Dns', 'Arm'), createArray('SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'Dns', 'Arm'))]", - "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]", - "securitySettings": "[if(parameters('enableSecuritySettings'), 'On', 'Off')]" + "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]" }, "resources": [ { @@ -4699,32 +4698,15 @@ } }, { - "type": "Microsoft.Security/policies", - "apiVersion": "2015-06-01-preview", - "name": "default", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2021-06-01", + "name": "Azure Security Benchmark", "properties": { - "policyLevel": "Subscription", - "name": "default", - "unique": "Off", - "logCollection": "On", - "recommendations": { - "patch": "[variables('securitySettings')]", - "baseline": "[variables('securitySettings')]", - "antimalware": "[variables('securitySettings')]", - "diskEncryption": "[variables('securitySettings')]", - "acls": "[variables('securitySettings')]", - "nsgs": "[variables('securitySettings')]", - "waf": "[variables('securitySettings')]", - "sqlAuditing": "[variables('securitySettings')]", - "sqlTde": "[variables('securitySettings')]", - "ngfw": "[variables('securitySettings')]", - "vulnerabilityAssessment": "[variables('securitySettings')]", - "storageEncryption": "[variables('securitySettings')]", - "jitNetworkAccess": "[variables('securitySettings')]" - }, - "pricingConfiguration": { - "selectedPricingTier": "Standard" - } + "displayName": "ASC Default", + "description": "[parameters('policySetDescription')]", + "enforcementMode": "DoNotEnforce", + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8" } } ] @@ -4765,7 +4747,7 @@ "_generator": { "name": "bicep", "version": "0.4.1124.51302", - "templateHash": "5910850021434301527" + "templateHash": "998933596067649007" } }, "parameters": { @@ -4776,13 +4758,6 @@ "description": "Turn automatic deployment by ASC of the MMA (OMS VM extension) on or off" } }, - "enableSecuritySettings": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Turn security policy settings On or Off." - } - }, "logAnalyticsWorkspaceId": { "type": "string", "metadata": { @@ -4794,12 +4769,18 @@ "metadata": { "description": "Email address of the contact, in the form of john@doe.com" } + }, + "policySetDescription": { + "type": "string", + "defaultValue": "The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.", + "metadata": { + "description": "Policy Initiative description field" + } } }, "variables": { "bundle": "[if(not(equals(environment().name, 'AzureUSGovernment')), createArray('KeyVaults', 'SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'SqlServerVirtualMachines', 'AppServices', 'Dns', 'Arm'), createArray('SqlServers', 'VirtualMachines', 'StorageAccounts', 'ContainerRegistry', 'KubernetesService', 'Dns', 'Arm'))]", - "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]", - "securitySettings": "[if(parameters('enableSecuritySettings'), 'On', 'Off')]" + "autoProvisioning": "[if(parameters('enableAutoProvisioning'), 'On', 'Off')]" }, "resources": [ { @@ -4843,32 +4824,15 @@ } }, { - "type": "Microsoft.Security/policies", - "apiVersion": "2015-06-01-preview", - "name": "default", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2021-06-01", + "name": "Azure Security Benchmark", "properties": { - "policyLevel": "Subscription", - "name": "default", - "unique": "Off", - "logCollection": "On", - "recommendations": { - "patch": "[variables('securitySettings')]", - "baseline": "[variables('securitySettings')]", - "antimalware": "[variables('securitySettings')]", - "diskEncryption": "[variables('securitySettings')]", - "acls": "[variables('securitySettings')]", - "nsgs": "[variables('securitySettings')]", - "waf": "[variables('securitySettings')]", - "sqlAuditing": "[variables('securitySettings')]", - "sqlTde": "[variables('securitySettings')]", - "ngfw": "[variables('securitySettings')]", - "vulnerabilityAssessment": "[variables('securitySettings')]", - "storageEncryption": "[variables('securitySettings')]", - "jitNetworkAccess": "[variables('securitySettings')]" - }, - "pricingConfiguration": { - "selectedPricingTier": "Standard" - } + "displayName": "ASC Default", + "description": "[parameters('policySetDescription')]", + "enforcementMode": "DoNotEnforce", + "parameters": {}, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8" } } ] diff --git a/src/bicep/modules/securityCenter.bicep b/src/bicep/modules/securityCenter.bicep index 983074bbf..ddadd1ebf 100644 --- a/src/bicep/modules/securityCenter.bicep +++ b/src/bicep/modules/securityCenter.bicep @@ -25,16 +25,16 @@ var bundle = (environment().name != 'AzureUSGovernment' ? [ param enableAutoProvisioning bool = true var autoProvisioning = enableAutoProvisioning ? 'On' : 'Off' -@description('Turn security policy settings On or Off.') -param enableSecuritySettings bool = true -var securitySettings = enableSecuritySettings ? 'On' : 'Off' - @description('Specify the ID of your custom Log Analytics workspace to collect ASC data.') param logAnalyticsWorkspaceId string @description('Email address of the contact, in the form of john@doe.com') param emailSecurityContact string +@description('Policy Initiative description field') +param policySetDescription string = 'The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.' + + // security center resource securityCenterPricing 'Microsoft.Security/pricings@2018-06-01' = [for name in bundle: { @@ -70,30 +70,14 @@ resource securityNotifications 'Microsoft.Security/securityContacts@2017-08-01-p } } -resource securityPoliciesDefault 'Microsoft.Security/policies@2015-06-01-preview' = { - name: 'default' +resource securityPoliciesDefault 'Microsoft.Authorization/policyAssignments@2021-06-01' = { + name: 'Azure Security Benchmark' + scope: subscription() properties: { - policyLevel: 'Subscription' - name: 'default' - unique: 'Off' - logCollection: 'On' - recommendations: { - patch: securitySettings - baseline: securitySettings - antimalware: securitySettings - diskEncryption: securitySettings - acls: securitySettings - nsgs: securitySettings - waf: securitySettings - sqlAuditing: securitySettings - sqlTde: securitySettings - ngfw: securitySettings - vulnerabilityAssessment: securitySettings - storageEncryption: securitySettings - jitNetworkAccess: securitySettings - } - pricingConfiguration: { - selectedPricingTier: 'Standard' - } + displayName: 'ASC Default' + description: policySetDescription + enforcementMode: 'DoNotEnforce' + parameters: {} + policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8' } }