From 51e2be72750a836873490a5f5af85f4ba100cd80 Mon Sep 17 00:00:00 2001 From: sdeguchi Date: Mon, 11 Nov 2024 09:24:37 -0800 Subject: [PATCH] feat: add fsi library files --- platform/fsi/README.md | 913 ++++++++++++++++++ platform/fsi/alz_library_metadata.json | 13 + platform/fsi/alz_policy_default_values.json | 87 ++ ...confidential.alz_archetype_definition.json | 9 + .../fsi_root.alz_archetype_definition.json | 10 + ...al_residency.alz_archetype_definition.json | 9 + ...ta_residency.alz_archetype_definition.json | 9 + .../so_04_cmk.alz_archetype_definition.json | 9 + ...r_01_logging.alz_archetype_definition.json | 9 + .../fsi.alz_architecture_definition.json | 89 ++ ...nforce_fsi_conf.alz_policy_assignment.json | 277 ++++++ ...zonal_residency.alz_policy_assignment.json | 23 + ..._data_residency.alz_policy_assignment.json | 26 + .../so_04_cmk.alz_policy_assignment.json | 23 + .../tr_01_logging.alz_policy_assignment.json | 23 + platform/fsi/policy_definitions/.gitignore | 6 + ...a-Residency.alz_policy_set_definition.json | 93 ++ .../SO-04-CMK.alz_policy_set_definition.json | 147 +++ platform/fsi/role_definitions/.gitignore | 6 + 19 files changed, 1781 insertions(+) create mode 100644 platform/fsi/README.md create mode 100644 platform/fsi/alz_library_metadata.json create mode 100644 platform/fsi/alz_policy_default_values.json create mode 100644 platform/fsi/archetype_definitions/confidential.alz_archetype_definition.json create mode 100644 platform/fsi/archetype_definitions/fsi_root.alz_archetype_definition.json create mode 100644 platform/fsi/archetype_definitions/re_01_zonal_residency.alz_archetype_definition.json create mode 100644 platform/fsi/archetype_definitions/so_01_data_residency.alz_archetype_definition.json create mode 100644 platform/fsi/archetype_definitions/so_04_cmk.alz_archetype_definition.json create mode 100644 platform/fsi/archetype_definitions/tr_01_logging.alz_archetype_definition.json create mode 100644 platform/fsi/architecture_definitions/fsi.alz_architecture_definition.json create mode 100644 platform/fsi/policy_assignments/enforce_fsi_conf.alz_policy_assignment.json create mode 100644 platform/fsi/policy_assignments/re_01_zonal_residency.alz_policy_assignment.json create mode 100644 platform/fsi/policy_assignments/so_01_data_residency.alz_policy_assignment.json create mode 100644 platform/fsi/policy_assignments/so_04_cmk.alz_policy_assignment.json create mode 100644 platform/fsi/policy_assignments/tr_01_logging.alz_policy_assignment.json create mode 100644 platform/fsi/policy_definitions/.gitignore create mode 100644 platform/fsi/policy_set_definitions/SO-01-Data-Residency.alz_policy_set_definition.json create mode 100644 platform/fsi/policy_set_definitions/SO-04-CMK.alz_policy_set_definition.json create mode 100644 platform/fsi/role_definitions/.gitignore diff --git a/platform/fsi/README.md b/platform/fsi/README.md new file mode 100644 index 0000000..47a8293 --- /dev/null +++ b/platform/fsi/README.md @@ -0,0 +1,913 @@ +# FSI (Financial Services Industry) + +This library provides the reference set of Financial Services Industry (FSI) policies, archetypes, and management group architecture. + +## Dependencies + +- platform/alz@2024.07.4 + +## Usage + +```terraform +provider "alz" { + library_references = [ + { + path = "platform/fsi" + tag = "0000.00.0" # Replace with the desired version + } + ] +} +``` + +## Architectures + +The following architectures are available in this library, please note that the diagrams denote the management group display name and, in brackets, the associated archetypes: + +### architecture `alz` + +> [!NOTE] +> This hierarchy will be deployed as a child of the user-supplied root management group. + +```mermaid +flowchart TD + alzroot["ALZ root +(root)"] + alzroot --> decommissioned + decommissioned["Decommissioned +(decommissioned)"] + alzroot --> landingzones + landingzones["Landing zones +(landing_zones)"] + landingzones --> corp + corp["Corp +(corp)"] + landingzones --> online + online["Online +(online)"] + alzroot --> platform + platform["Platform +(platform)"] + platform --> connectivity + connectivity["Connectivity +(connectivity)"] + platform --> identity + identity["Identity +(identity)"] + platform --> management + management["Management +(management)"] + alzroot --> sandboxes + sandboxes["Sandboxes +(sandboxes)"] + +``` + +### architecture `fsi` + +> [!NOTE] +> This hierarchy will be deployed as a child of the user-supplied root management group. + +```mermaid +flowchart TD + fsi["FSI Landing Zone +(fsi_root, root)"] + fsi --> fsi-decommissioned + fsi-decommissioned["Decommissioned +(decommissioned)"] + fsi --> fsi-landingzones + fsi-landingzones["Landing Zones +(landing_zones)"] + fsi-landingzones --> fsi-landingzones-confidential-corp + fsi-landingzones-confidential-corp["Confidential Corp +(confidential, corp)"] + fsi-landingzones --> fsi-landingzones-confidential-online + fsi-landingzones-confidential-online["Confidential Online +(confidential, online)"] + fsi-landingzones --> fsi-landingzones-corp + fsi-landingzones-corp["Corp +(corp)"] + fsi-landingzones --> fsi-landingzones-online + fsi-landingzones-online["Online +(online)"] + fsi --> fsi-platform + fsi-platform["Platform +(platform)"] + fsi-platform --> fsi-platform-connectivity + fsi-platform-connectivity["Connectivity +(connectivity)"] + fsi-platform --> fsi-platform-identity + fsi-platform-identity["Identity +(identity)"] + fsi-platform --> fsi-platform-management + fsi-platform-management["Management +(management)"] + fsi --> fsi-sandbox + fsi-sandbox["Sandbox +(sandboxes)"] + +``` + +## Archetypes + +### archetype `confidential` + +#### confidential policy assignments + +
1 policy assignments + +- Enforce-Fsi-Conf +
+ +### archetype `connectivity` + +#### connectivity policy assignments + +
1 policy assignments + +- Enable-DDoS-VNET +
+ +### archetype `corp` + +#### corp policy assignments + +
5 policy assignments + +- Audit-PeDnsZones +- Deny-HybridNetworking +- Deny-Public-Endpoints +- Deny-Public-IP-On-NIC +- Deploy-Private-DNS-Zones +
+ +### archetype `decommissioned` + +#### decommissioned policy assignments + +
1 policy assignments + +- Enforce-ALZ-Decomm +
+ +### archetype `fsi_root` + +#### fsi_root policy set definitions + +
2 policy set definitions + +- 50e4abe0-fc74-4546-9bd4-070ad748670b +- d22ea5a9-2a46-4f25-8d11-e8ef42769e46 +
+ +### archetype `identity` + +#### identity policy assignments + +
4 policy assignments + +- Deny-MgmtPorts-Internet +- Deny-Public-IP +- Deny-Subnet-Without-Nsg +- Deploy-VM-Backup +
+ +### archetype `landing_zones` + +#### landing_zones policy assignments + +
25 policy assignments + +- Audit-AppGW-WAF +- Deny-IP-forwarding +- Deny-MgmtPorts-Internet +- Deny-Priv-Esc-AKS +- Deny-Privileged-AKS +- Deny-Storage-http +- Deny-Subnet-Without-Nsg +- Deploy-AKS-Policy +- Deploy-AzSqlDb-Auditing +- Deploy-MDFC-DefSQL-AMA +- Deploy-SQL-TDE +- Deploy-SQL-Threat +- Deploy-VM-Backup +- Deploy-VM-ChangeTrack +- Deploy-VM-Monitoring +- Deploy-VMSS-ChangeTrack +- Deploy-VMSS-Monitoring +- Deploy-vmArc-ChangeTrack +- Deploy-vmHybr-Monitoring +- Enable-AUM-CheckUpdates +- Enable-DDoS-VNET +- Enforce-AKS-HTTPS +- Enforce-ASR +- Enforce-GR-KeyVault +- Enforce-TLS-SSL-H224 +
+ +### archetype `management` + +#### management policy assignments + +
1 policy assignments + +- Deploy-Log-Analytics +
+ +### archetype `platform` + +#### platform policy assignments + +
11 policy assignments + +- DenyAction-DeleteUAMIAMA +- Deploy-MDFC-DefSQL-AMA +- Deploy-VM-ChangeTrack +- Deploy-VM-Monitoring +- Deploy-VMSS-ChangeTrack +- Deploy-VMSS-Monitoring +- Deploy-vmArc-ChangeTrack +- Deploy-vmHybr-Monitoring +- Enable-AUM-CheckUpdates +- Enforce-ASR +- Enforce-GR-KeyVault +
+ +### archetype `re_01_zonal_residency` + +#### re_01_zonal_residency policy assignments + +
1 policy assignments + +- RE-01-Zonal-Residency +
+ +### archetype `root` + +#### root policy definitions + +
158 policy definitions + +- Append-AppService-httpsonly +- Append-AppService-latestTLS +- Append-KV-SoftDelete +- Append-Redis-disableNonSslPort +- Append-Redis-sslEnforcement +- Audit-AzureHybridBenefit +- Audit-Disks-UnusedResourcesCostOptimization +- Audit-MachineLearning-PrivateEndpointId +- Audit-PrivateLinkDnsZones +- Audit-PublicIpAddresses-UnusedResourcesCostOptimization +- Audit-ServerFarms-UnusedResourcesCostOptimization +- Deny-AA-child-resources +- Deny-APIM-TLS +- Deny-AppGW-Without-WAF +- Deny-AppGw-Without-Tls +- Deny-AppService-without-BYOC +- Deny-AppServiceApiApp-http +- Deny-AppServiceFunctionApp-http +- Deny-AppServiceWebApp-http +- Deny-AzFw-Without-Policy +- Deny-CognitiveServices-NetworkAcls +- Deny-CognitiveServices-Resource-Kinds +- Deny-CognitiveServices-RestrictOutboundNetworkAccess +- Deny-Databricks-NoPublicIp +- Deny-Databricks-Sku +- Deny-Databricks-VirtualNetwork +- Deny-EH-Premium-CMK +- Deny-EH-minTLS +- Deny-FileServices-InsecureAuth +- Deny-FileServices-InsecureKerberos +- Deny-FileServices-InsecureSmbChannel +- Deny-FileServices-InsecureSmbVersions +- Deny-LogicApp-Public-Network +- Deny-LogicApps-Without-Https +- Deny-MachineLearning-Aks +- Deny-MachineLearning-Compute-SubnetId +- Deny-MachineLearning-Compute-VmSize +- Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess +- Deny-MachineLearning-ComputeCluster-Scale +- Deny-MachineLearning-HbiWorkspace +- Deny-MachineLearning-PublicAccessWhenBehindVnet +- Deny-MachineLearning-PublicNetworkAccess +- Deny-MgmtPorts-From-Internet +- Deny-MySql-http +- Deny-PostgreSql-http +- Deny-Private-DNS-Zones +- Deny-PublicEndpoint-MariaDB +- Deny-PublicIP +- Deny-RDP-From-Internet +- Deny-Redis-http +- Deny-Service-Endpoints +- Deny-Sql-minTLS +- Deny-SqlMi-minTLS +- Deny-Storage-ContainerDeleteRetentionPolicy +- Deny-Storage-CopyScope +- Deny-Storage-CorsRules +- Deny-Storage-LocalUser +- Deny-Storage-NetworkAclsBypass +- Deny-Storage-NetworkAclsVirtualNetworkRules +- Deny-Storage-ResourceAccessRulesResourceId +- Deny-Storage-ResourceAccessRulesTenantId +- Deny-Storage-SFTP +- Deny-Storage-ServicesEncryption +- Deny-Storage-minTLS +- Deny-StorageAccount-CustomDomain +- Deny-Subnet-Without-Nsg +- Deny-Subnet-Without-Penp +- Deny-Subnet-Without-Udr +- Deny-UDR-With-Specific-NextHop +- Deny-VNET-Peer-Cross-Sub +- Deny-VNET-Peering-To-Non-Approved-VNETs +- Deny-VNet-Peering +- DenyAction-ActivityLogs +- DenyAction-DeleteResources +- DenyAction-DiagnosticLogs +- Deploy-ASC-SecurityContacts +- Deploy-Budget +- Deploy-Custom-Route-Table +- Deploy-DDoSProtection +- Deploy-Diagnostics-AA +- Deploy-Diagnostics-ACI +- Deploy-Diagnostics-ACR +- Deploy-Diagnostics-APIMgmt +- Deploy-Diagnostics-AVDScalingPlans +- Deploy-Diagnostics-AnalysisService +- Deploy-Diagnostics-ApiForFHIR +- Deploy-Diagnostics-ApplicationGateway +- Deploy-Diagnostics-Bastion +- Deploy-Diagnostics-CDNEndpoints +- Deploy-Diagnostics-CognitiveServices +- Deploy-Diagnostics-CosmosDB +- Deploy-Diagnostics-DLAnalytics +- Deploy-Diagnostics-DataExplorerCluster +- Deploy-Diagnostics-DataFactory +- Deploy-Diagnostics-Databricks +- Deploy-Diagnostics-EventGridSub +- Deploy-Diagnostics-EventGridSystemTopic +- Deploy-Diagnostics-EventGridTopic +- Deploy-Diagnostics-ExpressRoute +- Deploy-Diagnostics-Firewall +- Deploy-Diagnostics-FrontDoor +- Deploy-Diagnostics-Function +- Deploy-Diagnostics-HDInsight +- Deploy-Diagnostics-LoadBalancer +- Deploy-Diagnostics-LogAnalytics +- Deploy-Diagnostics-LogicAppsISE +- Deploy-Diagnostics-MariaDB +- Deploy-Diagnostics-MediaService +- Deploy-Diagnostics-MlWorkspace +- Deploy-Diagnostics-MySQL +- Deploy-Diagnostics-NIC +- Deploy-Diagnostics-NetworkSecurityGroups +- Deploy-Diagnostics-PostgreSQL +- Deploy-Diagnostics-PowerBIEmbedded +- Deploy-Diagnostics-RedisCache +- Deploy-Diagnostics-Relay +- Deploy-Diagnostics-SQLElasticPools +- Deploy-Diagnostics-SQLMI +- Deploy-Diagnostics-SignalR +- Deploy-Diagnostics-TimeSeriesInsights +- Deploy-Diagnostics-TrafficManager +- Deploy-Diagnostics-VM +- Deploy-Diagnostics-VMSS +- Deploy-Diagnostics-VNetGW +- Deploy-Diagnostics-VWanS2SVPNGW +- Deploy-Diagnostics-VirtualNetwork +- Deploy-Diagnostics-WVDAppGroup +- Deploy-Diagnostics-WVDHostPools +- Deploy-Diagnostics-WVDWorkspace +- Deploy-Diagnostics-WebServerFarm +- Deploy-Diagnostics-Website +- Deploy-Diagnostics-iotHub +- Deploy-FirewallPolicy +- Deploy-LogicApp-TLS +- Deploy-MDFC-Arc-SQL-DCR-Association +- Deploy-MDFC-Arc-Sql-DefenderSQL-DCR +- Deploy-MDFC-SQL-AMA +- Deploy-MDFC-SQL-DefenderSQL +- Deploy-MDFC-SQL-DefenderSQL-DCR +- Deploy-MySQL-sslEnforcement +- Deploy-Nsg-FlowLogs +- Deploy-Nsg-FlowLogs-to-LA +- Deploy-PostgreSQL-sslEnforcement +- Deploy-Private-DNS-Generic +- Deploy-SQL-minTLS +- Deploy-Sql-AuditingSettings +- Deploy-Sql-SecurityAlertPolicies +- Deploy-Sql-Tde +- Deploy-Sql-vulnerabilityAssessments +- Deploy-Sql-vulnerabilityAssessments_20230706 +- Deploy-SqlMi-minTLS +- Deploy-Storage-sslEnforcement +- Deploy-UserAssignedManagedIdentity-VMInsights +- Deploy-VNET-HubSpoke +- Deploy-Vm-autoShutdown +- Deploy-Windows-DomainJoin +- Modify-NSG +- Modify-UDR +
+ +#### root policy set definitions + +
45 policy set definitions + +- Audit-TrustedLaunch +- Audit-UnusedResourcesCostOptimization +- Deny-PublicPaaSEndpoints +- DenyAction-DeleteProtection +- Deploy-AUM-CheckUpdates +- Deploy-Diagnostics-LogAnalytics +- Deploy-MDFC-Config +- Deploy-MDFC-Config_20240319 +- Deploy-MDFC-DefenderSQL-AMA +- Deploy-Private-DNS-Zones +- Deploy-Sql-Security +- Deploy-Sql-Security_20240529 +- Enforce-ACSB +- Enforce-ALZ-Decomm +- Enforce-ALZ-Sandbox +- Enforce-Backup +- Enforce-EncryptTransit +- Enforce-EncryptTransit_20240509 +- Enforce-Encryption-CMK +- Enforce-Guardrails-APIM +- Enforce-Guardrails-AppServices +- Enforce-Guardrails-Automation +- Enforce-Guardrails-CognitiveServices +- Enforce-Guardrails-Compute +- Enforce-Guardrails-ContainerApps +- Enforce-Guardrails-ContainerInstance +- Enforce-Guardrails-ContainerRegistry +- Enforce-Guardrails-CosmosDb +- Enforce-Guardrails-DataExplorer +- Enforce-Guardrails-DataFactory +- Enforce-Guardrails-EventGrid +- Enforce-Guardrails-EventHub +- Enforce-Guardrails-KeyVault +- Enforce-Guardrails-KeyVault-Sup +- Enforce-Guardrails-Kubernetes +- Enforce-Guardrails-MachineLearning +- Enforce-Guardrails-MySQL +- Enforce-Guardrails-Network +- Enforce-Guardrails-OpenAI +- Enforce-Guardrails-PostgreSQL +- Enforce-Guardrails-SQL +- Enforce-Guardrails-ServiceBus +- Enforce-Guardrails-Storage +- Enforce-Guardrails-Synapse +- Enforce-Guardrails-VirtualDesktop +
+ +#### root policy assignments + +
15 policy assignments + +- Audit-ResourceRGLocation +- Audit-TrustedLaunch +- Audit-UnusedResources +- Audit-ZoneResiliency +- Deny-Classic-Resources +- Deny-UnmanagedDisk +- Deploy-ASC-Monitoring +- Deploy-AzActivity-Log +- Deploy-Diag-Logs +- Deploy-MDEndpoints +- Deploy-MDEndpointsAMA +- Deploy-MDFC-Config-H224 +- Deploy-MDFC-OssDb +- Deploy-MDFC-SqlAtp +- Enforce-ACSB +
+ +#### root role definitions + +
5 role definitions + +- Application-Owners +- Network-Management +- Network-Subnet-Contributor +- Security-Operations +- Subscription-Owner +
+ +### archetype `sandboxes` + +#### sandboxes policy assignments + +
1 policy assignments + +- Enforce-ALZ-Sandbox +
+ +### archetype `so_01_data_residency` + +#### so_01_data_residency policy assignments + +
1 policy assignments + +- SO-01-Data-Residency +
+ +### archetype `so_04_cmk` + +#### so_04_cmk policy assignments + +
1 policy assignments + +- SO-04-CMK +
+ +### archetype `tr_01_logging` + +#### tr_01_logging policy assignments + +
1 policy assignments + +- TR-01-Logging +
+ +## Policy Default Values + +The following policy default values are available in this library: + +### default name `allowedLocations` + +#### assignment `SO-01-Data-Residency` + +
1 parameter names + +- listOfAllowedLocations-1 +
+ +### default name `allowedLocationsForConfidentialComputing` + +#### assignment `Enforce-Fsi-Conf` + +
1 parameter names + +- listOfAllowedLocations +
+ +### default name `ddosProtectionPlanEffect` + +#### assignment `Enable-DDoS-VNET` + +
1 parameter names + +- effect +
+ +### default name `ddosProtectionPlanId` + +#### assignment `Enable-DDoS-VNET` + +
1 parameter names + +- ddosPlan +
+ +### default name `emailSecurityContact` + +#### assignment `Deploy-MDFC-Config-H224` + +
1 parameter names + +- emailSecurityContact +
+ +### default name `logAnalyticsWorkspaceId` + +#### assignment `Deploy-Diag-Logs` + +
1 parameter names + +- logAnalytics +
+ +#### assignment `TR-01-Logging` + +
1 parameter names + +- logAnalytics +
+ +### default name `policyEffect` + +#### assignment `Enforce-Fsi-Conf` + +
1 parameter names + +- effect +
+ +--- +## Contents + +### all policy definitions + +
158 policy definitions + +- Append-AppService-httpsonly +- Append-AppService-latestTLS +- Append-KV-SoftDelete +- Append-Redis-disableNonSslPort +- Append-Redis-sslEnforcement +- Audit-AzureHybridBenefit +- Audit-Disks-UnusedResourcesCostOptimization +- Audit-MachineLearning-PrivateEndpointId +- Audit-PrivateLinkDnsZones +- Audit-PublicIpAddresses-UnusedResourcesCostOptimization +- Audit-ServerFarms-UnusedResourcesCostOptimization +- Deny-AA-child-resources +- Deny-APIM-TLS +- Deny-AppGW-Without-WAF +- Deny-AppGw-Without-Tls +- Deny-AppService-without-BYOC +- Deny-AppServiceApiApp-http +- Deny-AppServiceFunctionApp-http +- Deny-AppServiceWebApp-http +- Deny-AzFw-Without-Policy +- Deny-CognitiveServices-NetworkAcls +- Deny-CognitiveServices-Resource-Kinds +- Deny-CognitiveServices-RestrictOutboundNetworkAccess +- Deny-Databricks-NoPublicIp +- Deny-Databricks-Sku +- Deny-Databricks-VirtualNetwork +- Deny-EH-Premium-CMK +- Deny-EH-minTLS +- Deny-FileServices-InsecureAuth +- Deny-FileServices-InsecureKerberos +- Deny-FileServices-InsecureSmbChannel +- Deny-FileServices-InsecureSmbVersions +- Deny-LogicApp-Public-Network +- Deny-LogicApps-Without-Https +- Deny-MachineLearning-Aks +- Deny-MachineLearning-Compute-SubnetId +- Deny-MachineLearning-Compute-VmSize +- Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess +- Deny-MachineLearning-ComputeCluster-Scale +- Deny-MachineLearning-HbiWorkspace +- Deny-MachineLearning-PublicAccessWhenBehindVnet +- Deny-MachineLearning-PublicNetworkAccess +- Deny-MgmtPorts-From-Internet +- Deny-MySql-http +- Deny-PostgreSql-http +- Deny-Private-DNS-Zones +- Deny-PublicEndpoint-MariaDB +- Deny-PublicIP +- Deny-RDP-From-Internet +- Deny-Redis-http +- Deny-Service-Endpoints +- Deny-Sql-minTLS +- Deny-SqlMi-minTLS +- Deny-Storage-ContainerDeleteRetentionPolicy +- Deny-Storage-CopyScope +- Deny-Storage-CorsRules +- Deny-Storage-LocalUser +- Deny-Storage-NetworkAclsBypass +- Deny-Storage-NetworkAclsVirtualNetworkRules +- Deny-Storage-ResourceAccessRulesResourceId +- Deny-Storage-ResourceAccessRulesTenantId +- Deny-Storage-SFTP +- Deny-Storage-ServicesEncryption +- Deny-Storage-minTLS +- Deny-StorageAccount-CustomDomain +- Deny-Subnet-Without-Nsg +- Deny-Subnet-Without-Penp +- Deny-Subnet-Without-Udr +- Deny-UDR-With-Specific-NextHop +- Deny-VNET-Peer-Cross-Sub +- Deny-VNET-Peering-To-Non-Approved-VNETs +- Deny-VNet-Peering +- DenyAction-ActivityLogs +- DenyAction-DeleteResources +- DenyAction-DiagnosticLogs +- Deploy-ASC-SecurityContacts +- Deploy-Budget +- Deploy-Custom-Route-Table +- Deploy-DDoSProtection +- Deploy-Diagnostics-AA +- Deploy-Diagnostics-ACI +- Deploy-Diagnostics-ACR +- Deploy-Diagnostics-APIMgmt +- Deploy-Diagnostics-AVDScalingPlans +- Deploy-Diagnostics-AnalysisService +- Deploy-Diagnostics-ApiForFHIR +- Deploy-Diagnostics-ApplicationGateway +- Deploy-Diagnostics-Bastion +- Deploy-Diagnostics-CDNEndpoints +- Deploy-Diagnostics-CognitiveServices +- Deploy-Diagnostics-CosmosDB +- Deploy-Diagnostics-DLAnalytics +- Deploy-Diagnostics-DataExplorerCluster +- Deploy-Diagnostics-DataFactory +- Deploy-Diagnostics-Databricks +- Deploy-Diagnostics-EventGridSub +- Deploy-Diagnostics-EventGridSystemTopic +- Deploy-Diagnostics-EventGridTopic +- Deploy-Diagnostics-ExpressRoute +- Deploy-Diagnostics-Firewall +- Deploy-Diagnostics-FrontDoor +- Deploy-Diagnostics-Function +- Deploy-Diagnostics-HDInsight +- Deploy-Diagnostics-LoadBalancer +- Deploy-Diagnostics-LogAnalytics +- Deploy-Diagnostics-LogicAppsISE +- Deploy-Diagnostics-MariaDB +- Deploy-Diagnostics-MediaService +- Deploy-Diagnostics-MlWorkspace +- Deploy-Diagnostics-MySQL +- Deploy-Diagnostics-NIC +- Deploy-Diagnostics-NetworkSecurityGroups +- Deploy-Diagnostics-PostgreSQL +- Deploy-Diagnostics-PowerBIEmbedded +- Deploy-Diagnostics-RedisCache +- Deploy-Diagnostics-Relay +- Deploy-Diagnostics-SQLElasticPools +- Deploy-Diagnostics-SQLMI +- Deploy-Diagnostics-SignalR +- Deploy-Diagnostics-TimeSeriesInsights +- Deploy-Diagnostics-TrafficManager +- Deploy-Diagnostics-VM +- Deploy-Diagnostics-VMSS +- Deploy-Diagnostics-VNetGW +- Deploy-Diagnostics-VWanS2SVPNGW +- Deploy-Diagnostics-VirtualNetwork +- Deploy-Diagnostics-WVDAppGroup +- Deploy-Diagnostics-WVDHostPools +- Deploy-Diagnostics-WVDWorkspace +- Deploy-Diagnostics-WebServerFarm +- Deploy-Diagnostics-Website +- Deploy-Diagnostics-iotHub +- Deploy-FirewallPolicy +- Deploy-LogicApp-TLS +- Deploy-MDFC-Arc-SQL-DCR-Association +- Deploy-MDFC-Arc-Sql-DefenderSQL-DCR +- Deploy-MDFC-SQL-AMA +- Deploy-MDFC-SQL-DefenderSQL +- Deploy-MDFC-SQL-DefenderSQL-DCR +- Deploy-MySQL-sslEnforcement +- Deploy-Nsg-FlowLogs +- Deploy-Nsg-FlowLogs-to-LA +- Deploy-PostgreSQL-sslEnforcement +- Deploy-Private-DNS-Generic +- Deploy-SQL-minTLS +- Deploy-Sql-AuditingSettings +- Deploy-Sql-SecurityAlertPolicies +- Deploy-Sql-Tde +- Deploy-Sql-vulnerabilityAssessments +- Deploy-Sql-vulnerabilityAssessments_20230706 +- Deploy-SqlMi-minTLS +- Deploy-Storage-sslEnforcement +- Deploy-UserAssignedManagedIdentity-VMInsights +- Deploy-VNET-HubSpoke +- Deploy-Vm-autoShutdown +- Deploy-Windows-DomainJoin +- Modify-NSG +- Modify-UDR +
+ +### all policy set definitions + +
47 policy set definitions + +- 50e4abe0-fc74-4546-9bd4-070ad748670b +- Audit-TrustedLaunch +- Audit-UnusedResourcesCostOptimization +- Deny-PublicPaaSEndpoints +- DenyAction-DeleteProtection +- Deploy-AUM-CheckUpdates +- Deploy-Diagnostics-LogAnalytics +- Deploy-MDFC-Config +- Deploy-MDFC-Config_20240319 +- Deploy-MDFC-DefenderSQL-AMA +- Deploy-Private-DNS-Zones +- Deploy-Sql-Security +- Deploy-Sql-Security_20240529 +- Enforce-ACSB +- Enforce-ALZ-Decomm +- Enforce-ALZ-Sandbox +- Enforce-Backup +- Enforce-EncryptTransit +- Enforce-EncryptTransit_20240509 +- Enforce-Encryption-CMK +- Enforce-Guardrails-APIM +- Enforce-Guardrails-AppServices +- Enforce-Guardrails-Automation +- Enforce-Guardrails-CognitiveServices +- Enforce-Guardrails-Compute +- Enforce-Guardrails-ContainerApps +- Enforce-Guardrails-ContainerInstance +- Enforce-Guardrails-ContainerRegistry +- Enforce-Guardrails-CosmosDb +- Enforce-Guardrails-DataExplorer +- Enforce-Guardrails-DataFactory +- Enforce-Guardrails-EventGrid +- Enforce-Guardrails-EventHub +- Enforce-Guardrails-KeyVault +- Enforce-Guardrails-KeyVault-Sup +- Enforce-Guardrails-Kubernetes +- Enforce-Guardrails-MachineLearning +- Enforce-Guardrails-MySQL +- Enforce-Guardrails-Network +- Enforce-Guardrails-OpenAI +- Enforce-Guardrails-PostgreSQL +- Enforce-Guardrails-SQL +- Enforce-Guardrails-ServiceBus +- Enforce-Guardrails-Storage +- Enforce-Guardrails-Synapse +- Enforce-Guardrails-VirtualDesktop +- d22ea5a9-2a46-4f25-8d11-e8ef42769e46 +
+ +### all policy assignments + +
74 policy assignments + +- Audit-AppGW-WAF +- Audit-PeDnsZones +- Audit-ResourceRGLocation +- Audit-TrustedLaunch +- Audit-UnusedResources +- Audit-ZoneResiliency +- Deny-AppGW-Without-WAF +- Deny-Classic-Resources +- Deny-DataB-Pip +- Deny-DataB-Sku +- Deny-DataB-Vnet +- Deny-HybridNetworking +- Deny-IP-forwarding +- Deny-MgmtPorts-Internet +- Deny-Priv-Esc-AKS +- Deny-Private-DNS-Zones +- Deny-Privileged-AKS +- Deny-Public-Endpoints +- Deny-Public-IP +- Deny-Public-IP-On-NIC +- Deny-RDP-From-Internet +- Deny-RSG-Locations +- Deny-Resource-Locations +- Deny-Resource-Types +- Deny-Storage-http +- Deny-Subnet-Without-Nsg +- Deny-Subnet-Without-Udr +- Deny-UnmanagedDisk +- DenyAction-DeleteUAMIAMA +- Deploy-AKS-Policy +- Deploy-ASC-Monitoring +- Deploy-AzActivity-Log +- Deploy-AzSqlDb-Auditing +- Deploy-Diag-Logs +- Deploy-Log-Analytics +- Deploy-MDEndpoints +- Deploy-MDEndpointsAMA +- Deploy-MDFC-Config +- Deploy-MDFC-Config-H224 +- Deploy-MDFC-DefSQL-AMA +- Deploy-MDFC-DefenSQL-AMA +- Deploy-MDFC-OssDb +- Deploy-MDFC-SqlAtp +- Deploy-Private-DNS-Zones +- Deploy-Resource-Diag +- Deploy-SQL-DB-Auditing +- Deploy-SQL-Security +- Deploy-SQL-TDE +- Deploy-SQL-Threat +- Deploy-UAMI-VMInsights +- Deploy-VM-Backup +- Deploy-VM-ChangeTrack +- Deploy-VM-Monitoring +- Deploy-VMSS-ChangeTrack +- Deploy-VMSS-Monitoring +- Deploy-vmArc-ChangeTrack +- Deploy-vmHybr-Monitoring +- Enable-AUM-CheckUpdates +- Enable-AUM-VM-Windows +- Enable-AUM-VMHyb-Windows +- Enable-DDoS-VNET +- Enforce-ACSB +- Enforce-AKS-HTTPS +- Enforce-ALZ-Decomm +- Enforce-ALZ-Sandbox +- Enforce-ASR +- Enforce-Fsi-Conf +- Enforce-GR-KeyVault +- Enforce-TLS-SSL +- Enforce-TLS-SSL-H224 +- RE-01-Zonal-Residency +- SO-01-Data-Residency +- SO-04-CMK +- TR-01-Logging +
+ +### all role definitions + +
5 role definitions + +- Application-Owners +- Network-Management +- Network-Subnet-Contributor +- Security-Operations +- Subscription-Owner +
+ \ No newline at end of file diff --git a/platform/fsi/alz_library_metadata.json b/platform/fsi/alz_library_metadata.json new file mode 100644 index 0000000..0c41e3d --- /dev/null +++ b/platform/fsi/alz_library_metadata.json @@ -0,0 +1,13 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/library_metadata.json", + "name": "FSI", + "display_name": "Financial Services Industry", + "description": "This library provides the reference set of Financial Services Industry (FSI) policies, archetypes, and management group architecture.", + "path": "platform/fsi", + "dependencies": [ + { + "path": "platform/alz", + "ref": "2024.07.4" + } + ] +} diff --git a/platform/fsi/alz_policy_default_values.json b/platform/fsi/alz_policy_default_values.json new file mode 100644 index 0000000..cb7b3de --- /dev/null +++ b/platform/fsi/alz_policy_default_values.json @@ -0,0 +1,87 @@ +{ + "defaults": [ + { + "default_name": "allowedLocationsForConfidentialComputing", + "policy_assignments": [ + { + "parameter_names": [ + "listOfAllowedLocations" + ], + "policy_assignment_name": "Enforce-Fsi-Conf" + } + ] + }, + { + "default_name": "allowedLocations", + "policy_assignments": [ + { + "parameter_names": [ + "listOfAllowedLocations-1" + ], + "policy_assignment_name": "SO-01-Data-Residency" + } + ] + }, + { + "default_name": "policyEffect", + "policy_assignments": [ + { + "parameter_names": [ + "effect" + ], + "policy_assignment_name": "Enforce-Fsi-Conf" + } + ] + }, + { + "default_name": "ddosProtectionPlanId", + "policy_assignments": [ + { + "parameter_names": [ + "ddosPlan" + ], + "policy_assignment_name": "Enable-DDoS-VNET" + } + ] + }, + { + "default_name": "ddosProtectionPlanEffect", + "policy_assignments": [ + { + "parameter_names": [ + "effect" + ], + "policy_assignment_name": "Enable-DDoS-VNET" + } + ] + }, + { + "default_name": "emailSecurityContact", + "policy_assignments": [ + { + "parameter_names": [ + "emailSecurityContact" + ], + "policy_assignment_name": "Deploy-MDFC-Config-H224" + } + ] + }, + { + "default_name": "logAnalyticsWorkspaceId", + "policy_assignments": [ + { + "parameter_names": [ + "logAnalytics" + ], + "policy_assignment_name": "TR-01-Logging" + }, + { + "parameter_names": [ + "logAnalytics" + ], + "policy_assignment_name": "Deploy-Diag-Logs" + } + ] + } + ] +} \ No newline at end of file diff --git a/platform/fsi/archetype_definitions/confidential.alz_archetype_definition.json b/platform/fsi/archetype_definitions/confidential.alz_archetype_definition.json new file mode 100644 index 0000000..0a34c2f --- /dev/null +++ b/platform/fsi/archetype_definitions/confidential.alz_archetype_definition.json @@ -0,0 +1,9 @@ +{ + "name": "confidential", + "policy_assignments": [ + "Enforce-Fsi-Conf" + ], + "policy_definitions": [], + "policy_set_definitions": [], + "role_definitions": [] +} diff --git a/platform/fsi/archetype_definitions/fsi_root.alz_archetype_definition.json b/platform/fsi/archetype_definitions/fsi_root.alz_archetype_definition.json new file mode 100644 index 0000000..0159e21 --- /dev/null +++ b/platform/fsi/archetype_definitions/fsi_root.alz_archetype_definition.json @@ -0,0 +1,10 @@ +{ + "name": "fsi_root", + "policy_assignments": [], + "policy_definitions": [], + "policy_set_definitions": [ + "50e4abe0-fc74-4546-9bd4-070ad748670b", + "d22ea5a9-2a46-4f25-8d11-e8ef42769e46" + ], + "role_definitions": [] +} \ No newline at end of file diff --git a/platform/fsi/archetype_definitions/re_01_zonal_residency.alz_archetype_definition.json b/platform/fsi/archetype_definitions/re_01_zonal_residency.alz_archetype_definition.json new file mode 100644 index 0000000..2796710 --- /dev/null +++ b/platform/fsi/archetype_definitions/re_01_zonal_residency.alz_archetype_definition.json @@ -0,0 +1,9 @@ +{ + "name": "re_01_zonal_residency", + "policy_assignments": [ + "RE-01-Zonal-Residency" + ], + "policy_definitions": [], + "policy_set_definitions": [], + "role_definitions": [] +} \ No newline at end of file diff --git a/platform/fsi/archetype_definitions/so_01_data_residency.alz_archetype_definition.json b/platform/fsi/archetype_definitions/so_01_data_residency.alz_archetype_definition.json new file mode 100644 index 0000000..09a61da --- /dev/null +++ b/platform/fsi/archetype_definitions/so_01_data_residency.alz_archetype_definition.json @@ -0,0 +1,9 @@ +{ + "name": "so_01_data_residency", + "policy_assignments": [ + "SO-01-Data-Residency" + ], + "policy_definitions": [], + "policy_set_definitions": [], + "role_definitions": [] +} \ No newline at end of file diff --git a/platform/fsi/archetype_definitions/so_04_cmk.alz_archetype_definition.json b/platform/fsi/archetype_definitions/so_04_cmk.alz_archetype_definition.json new file mode 100644 index 0000000..e66c448 --- /dev/null +++ b/platform/fsi/archetype_definitions/so_04_cmk.alz_archetype_definition.json @@ -0,0 +1,9 @@ +{ + "name": "so_04_cmk", + "policy_assignments": [ + "SO-04-CMK" + ], + "policy_definitions": [], + "policy_set_definitions": [], + "role_definitions": [] +} \ No newline at end of file diff --git a/platform/fsi/archetype_definitions/tr_01_logging.alz_archetype_definition.json b/platform/fsi/archetype_definitions/tr_01_logging.alz_archetype_definition.json new file mode 100644 index 0000000..520ffd1 --- /dev/null +++ b/platform/fsi/archetype_definitions/tr_01_logging.alz_archetype_definition.json @@ -0,0 +1,9 @@ +{ + "name": "tr_01_logging", + "policy_assignments": [ + "TR-01-Logging" + ], + "policy_definitions": [], + "policy_set_definitions": [], + "role_definitions": [] +} \ No newline at end of file diff --git a/platform/fsi/architecture_definitions/fsi.alz_architecture_definition.json b/platform/fsi/architecture_definitions/fsi.alz_architecture_definition.json new file mode 100644 index 0000000..92028bc --- /dev/null +++ b/platform/fsi/architecture_definitions/fsi.alz_architecture_definition.json @@ -0,0 +1,89 @@ +{ + "name": "fsi", + "management_groups": [ + { + "archetypes": ["fsi_root", "root"], + "display_name": "FSI Landing Zone", + "exists": false, + "id": "fsi", + "parent_id": null + }, + { + "archetypes": ["landing_zones"], + "display_name": "Landing Zones", + "exists": false, + "id": "fsi-landingzones", + "parent_id": "fsi" + }, + { + "archetypes": ["platform"], + "display_name": "Platform", + "exists": false, + "id": "fsi-platform", + "parent_id": "fsi" + }, + { + "archetypes": ["identity"], + "display_name": "Identity", + "exists": false, + "id": "fsi-platform-identity", + "parent_id": "fsi-platform" + }, + { + "archetypes": ["connectivity"], + "display_name": "Connectivity", + "exists": false, + "id": "fsi-platform-connectivity", + "parent_id": "fsi-platform" + }, + { + "archetypes": ["management"], + "display_name": "Management", + "exists": false, + "id": "fsi-platform-management", + "parent_id": "fsi-platform" + }, + { + "archetypes": ["corp"], + "display_name": "Corp", + "exists": false, + "id": "fsi-landingzones-corp", + "parent_id": "fsi-landingzones" + }, + { + "archetypes": ["confidential", "corp"], + "display_name": "Confidential Corp", + "exists": false, + "id": "fsi-landingzones-confidential-corp", + "parent_id": "fsi-landingzones" + }, + { + "archetypes": ["online"], + "display_name": "Online", + "exists": false, + "id": "fsi-landingzones-online", + "parent_id": "fsi-landingzones" + }, + { + "archetypes": ["confidential", "online"], + "display_name": "Confidential Online", + "exists": false, + "id": "fsi-landingzones-confidential-online", + "parent_id": "fsi-landingzones" + }, + { + "archetypes": ["sandboxes"], + "display_name": "Sandbox", + "exists": false, + "id": "fsi-sandbox", + "parent_id": "fsi" + }, + { + "archetypes": ["decommissioned"], + "display_name": "Decommissioned", + "exists": false, + "id": "fsi-decommissioned", + "parent_id": "fsi" + } + ] +} diff --git a/platform/fsi/policy_assignments/enforce_fsi_conf.alz_policy_assignment.json b/platform/fsi/policy_assignments/enforce_fsi_conf.alz_policy_assignment.json new file mode 100644 index 0000000..72fe3a0 --- /dev/null +++ b/platform/fsi/policy_assignments/enforce_fsi_conf.alz_policy_assignment.json @@ -0,0 +1,277 @@ +{ + "name": "Enforce-Fsi-Conf", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2019-09-01", + "properties": { + "description": "The Microsoft Cloud for Financial Services recommends confidential policies to help organizations achieve their financial services goals by default denying the creation of resources outside of approved regions, denying resources that are not backed by Azure Confidential Computing, and denying data storage resources that are not using Customer-Managed Keys.", + "displayName": "[Preview]: Financial Services Baseline - Confidential Policies", + "notScopes": [], + "parameters": { + "allowedResourceTypes": { + "value": [ + "Microsoft.Attestation/attestationProviders", + "Microsoft.Compute/availabilitySets", + "Microsoft.Compute/capacityReservationGroups", + "Microsoft.Compute/capacityReservationGroups/capacityReservations", + "Microsoft.Compute/cloudServices", + "Microsoft.Compute/cloudServices/roles", + "Microsoft.Compute/cloudServices/roleInstances", + "Microsoft.Compute/cloudServices/networkInterfaces", + "Microsoft.Compute/cloudServices/roleInstances/networkInterfaces", + "Microsoft.Compute/cloudServices/publicIPAddresses", + "Microsoft.Compute/disks", + "Microsoft.Compute/diskEncryptionSets", + "Microsoft.Compute/diskAccesses", + "Microsoft.Compute/galleries", + "Microsoft.Compute/galleries/images", + "Microsoft.Compute/galleries/images/versions", + "Microsoft.Compute/galleries/applications", + "Microsoft.Compute/galleries/applications/versions", + "Microsoft.Compute/hostGroups", + "Microsoft.Compute/hostGroups/hosts", + "Microsoft.Compute/images", + "Microsoft.Compute/locations", + "Microsoft.Compute/locations/artifactPublishers", + "Microsoft.Compute/locations/csoperations", + "Microsoft.Compute/locations/cloudServiceOsVersions", + "Microsoft.Compute/locations/cloudServiceOsFamilies", + "Microsoft.Compute/locations/capsoperations", + "Microsoft.Compute/locations/communityGalleries", + "Microsoft.Compute/locations/diagnostics", + "Microsoft.Compute/locations/diagnosticOperations", + "Microsoft.Compute/locations/diskoperations", + "Microsoft.Compute/locations/edgeZones", + "Microsoft.Compute/locations/edgeZones/vmimages", + "Microsoft.Compute/locations/edgeZones/publishers", + "Microsoft.Compute/locations/galleries", + "Microsoft.Compute/locations/logAnalytics", + "Microsoft.Compute/locations/recommendations", + "Microsoft.Compute/locations/runCommands", + "Microsoft.Compute/locations/sharedGalleries", + "Microsoft.Compute/locations/spotEvictionRates", + "Microsoft.Compute/locations/spotPriceHistory", + "Microsoft.Compute/locations/operations", + "Microsoft.Compute/locations/publishers", + "Microsoft.Compute/locations/usages", + "Microsoft.Compute/locations/vmSizes", + "Microsoft.Compute/locations/virtualMachines", + "Microsoft.Compute/locations/virtualMachineScaleSets", + "Microsoft.Compute/operations", + "Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints", + "Microsoft.Compute/virtualMachines", + "Microsoft.Compute/virtualMachines/applications", + "Microsoft.Compute/virtualMachines/extensions", + "Microsoft.Compute/virtualMachines/metricDefinitions", + "Microsoft.Compute/virtualMachines/runCommands", + "Microsoft.Compute/virtualMachineScaleSets", + "Microsoft.Compute/virtualMachineScaleSets/applications", + "Microsoft.Compute/virtualMachineScaleSets/extensions", + "Microsoft.Compute/virtualMachineScaleSets/networkInterfaces", + "Microsoft.Compute/virtualMachineScaleSets/publicIPAddresses", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/extensions", + "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces", + "Microsoft.Compute/restorePointCollections", + "Microsoft.Compute/restorePointCollections/restorePoints", + "Microsoft.Compute/proximityPlacementGroups", + "Microsoft.Compute/sshPublicKeys", + "Microsoft.Compute/sharedVMImages", + "Microsoft.Compute/sharedVMImages/versions", + "Microsoft.Compute/snapshots", + "Microsoft.ConfidentialLedger/checkNameAvailability", + "Microsoft.ConfidentialLedger/Ledgers", + "Microsoft.ConfidentialLedger/Locations", + "Microsoft.ConfidentialLedger/Locations/operations", + "Microsoft.ConfidentialLedger/Locations/operationstatuses", + "Microsoft.ConfidentialLedger/ManagedCCFs", + "Microsoft.ContainerService/managedClusters", + "Microsoft.ContainerService/managedClusters/agentPools", + "Microsoft.HardwareSecurityModules/dedicatedHSMs", + "Microsoft.HardwareSecurityModules/locations", + "Microsoft.HardwareSecurityModules/locations/operationResults", + "Microsoft.HardwareSecurityModules/operations", + "Microsoft.KeyVault/hsmPools", + "Microsoft.KeyVault/managedHSMs", + "Microsoft.KeyVault/locations/managedHsmOperationResults", + "Microsoft.KeyVault/checkMhsmNameAvailability", + "Microsoft.KeyVault/checkNameAvailability", + "Microsoft.KeyVault/deletedManagedHSMs", + "Microsoft.KeyVault/deletedVaults", + "Microsoft.KeyVault/locations", + "Microsoft.KeyVault/locations/deletedManagedHSMs", + "Microsoft.KeyVault/locations/deletedVaults", + "Microsoft.KeyVault/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.KeyVault/locations/operationResults", + "Microsoft.KeyVault/managedHSMs/privateEndpointConnections", + "Microsoft.KeyVault/operations", + "Microsoft.KeyVault/vaults", + "Microsoft.KeyVault/vaults/accessPolicies", + "Microsoft.KeyVault/vaults/eventGridFilters", + "Microsoft.KeyVault/vaults/keys", + "Microsoft.KeyVault/vaults/keys/versions", + "Microsoft.KeyVault/vaults/privateEndpointConnections", + "Microsoft.KeyVault/vaults/secrets", + "Microsoft.Kubernetes/connectedClusters", + "Microsoft.Kubernetes/locations", + "Microsoft.Kubernetes/locations/operationStatuses", + "Microsoft.Kubernetes/registeredSubscriptions", + "Microsoft.Kubernetes/Operations", + "Microsoft.KubernetesConfiguration/sourceControlConfigurations", + "Microsoft.KubernetesConfiguration/extensions", + "Microsoft.KubernetesConfiguration/fluxConfigurations", + "Microsoft.KubernetesConfiguration/operations", + "Microsoft.KubernetesConfiguration/privateLinkScopes", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnections", + "Microsoft.KubernetesConfiguration/privateLinkScopes/privateEndpointConnectionProxies", + "Microsoft.ManagedIdentity/userAssignedIdentities", + "Microsoft.Network/ddosProtectionPlans", + "Microsoft.Network/loadBalancers", + "Microsoft.Network/networkSecurityGroups", + "Microsoft.Network/networkInterfaces", + "Microsoft.Network/privateDnsZones", + "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "Microsoft.Network/privateEndpoints", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "Microsoft.Network/publicIPAddresses", + "Microsoft.Network/routeTables", + "Microsoft.Network/virtualNetworks", + "Microsoft.Network/virtualNetworks/subnets", + "Microsoft.Resources/deployments", + "Microsoft.Sql/locations/syncDatabaseIds", + "Microsoft.Sql/locations/longTermRetentionServers", + "Microsoft.Sql/locations/longTermRetentionBackups", + "Microsoft.Sql/locations/longTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/longTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/longTermRetentionBackupOperationResults", + "Microsoft.Sql/locations/longTermRetentionBackupAzureAsyncOperation", + "Microsoft.Sql/locations/shortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/shortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyOperationResults", + "Microsoft.Sql/locations/managedShortTermRetentionPolicyAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroups", + "Microsoft.Sql/locations/instanceFailoverGroupAzureAsyncOperation", + "Microsoft.Sql/locations/instanceFailoverGroupOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionProxyAzureAsyncOperation", + "Microsoft.Sql/locations/privateEndpointConnectionOperationResults", + "Microsoft.Sql/locations/outboundFirewallRulesAzureAsyncOperation", + "Microsoft.Sql/locations/outboundFirewallRulesOperationResults", + "Microsoft.Sql/locations/privateEndpointConnectionAzureAsyncOperation", + "Microsoft.Sql/locations/notifyAzureAsyncOperation", + "Microsoft.Sql/locations/serverTrustGroups", + "Microsoft.Sql/locations/serverTrustGroupOperationResults", + "Microsoft.Sql/locations/serverTrustGroupAzureAsyncOperation", + "Microsoft.Sql/locations/managedDatabaseMoveOperationResults", + "Microsoft.Sql/locations/managedDatabaseMoveAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation", + "Microsoft.Sql/locations/connectionPoliciesOperationResults", + "Microsoft.Sql/locations/notifyNetworkSecurityPerimeterUpdatesAvailable", + "Microsoft.Sql/locations/replicationLinksAzureAsyncOperation", + "Microsoft.Sql/locations/replicationLinksOperationResults", + "Microsoft.Sql/locations/managedInstanceDtcAzureAsyncOperation", + "Microsoft.Sql/servers", + "Microsoft.Sql/servers/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/advisors", + "Microsoft.Sql/servers/auditingPolicies", + "Microsoft.Sql/servers/auditingSettings", + "Microsoft.Sql/servers/connectionPolicies", + "Microsoft.Sql/servers/databases", + "Microsoft.Sql/servers/databases/advisors", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/databases/auditingPolicies", + "Microsoft.Sql/servers/databases/auditingSettings", + "Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies", + "Microsoft.Sql/servers/databases/extendedAuditingSettings", + "Microsoft.Sql/servers/databases/geoBackupPolicies", + "Microsoft.Sql/servers/databases/ledgerDigestUploads", + "Microsoft.Sql/servers/databases/securityAlertPolicies", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/transparentDataEncryption", + "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "Microsoft.Sql/servers/devOpsAuditingSettings", + "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings", + "Microsoft.Sql/servers/encryptionProtector", + "Microsoft.Sql/servers/extendedAuditingSettings", + "Microsoft.Sql/servers/firewallRules", + "Microsoft.Sql/servers/keys", + "Microsoft.Sql/servers/securityAlertPolicies", + "Microsoft.Sql/servers/sqlVulnerabilityAssessments", + "Microsoft.Sql/servers/vulnerabilityAssessments" + ] + }, + "allowedVirtualMachineSKUs": { + "value": [ + "Standard_DC1s_v2", + "Standard_DC2s_v2", + "Standard_DC4s_v2", + "Standard_DC8_v2", + "Standard_DC1s_v3", + "Standard_DC2s_v3", + "Standard_DC4s_v3", + "Standard_DC8s_v3", + "Standard_DC16s_v3", + "Standard_DC24s_v3", + "Standard_DC32s_v3", + "Standard_DC48s_v3", + "Standard_DC1ds_v3", + "Standard_DC2ds_v3", + "Standard_DC4ds_v3", + "Standard_DC8ds_v3", + "Standard_DC16ds_v3", + "Standard_DC24ds_v3", + "Standard_DC32ds_v3", + "Standard_DC48ds_v3", + "Standard_DC2ads_v5", + "Standard_DC2as_v5", + "Standard_DC4ads_v5", + "Standard_DC4as_v5", + "Standard_DC8ads_v5", + "Standard_DC8as_v5", + "Standard_DC16ads_v5", + "Standard_DC16as_v5", + "Standard_DC32ads_v5", + "Standard_DC32as_v5", + "Standard_DC48ads_v5", + "Standard_DC48as_v5", + "Standard_DC64ads_v5", + "Standard_DC64as_v5", + "Standard_DC96ads_v5", + "Standard_DC96as_v5", + "Standard_EC2ads_v5", + "Standard_EC2as_v5", + "Standard_EC4ads_v5", + "Standard_EC4as_v5", + "Standard_EC8ads_v5", + "Standard_EC8as_v5", + "Standard_EC16ads_v5", + "Standard_EC16as_v5", + "Standard_EC20ads_v5", + "Standard_EC20as_v5", + "Standard_EC32ads_v5", + "Standard_EC32as_v5", + "Standard_EC48ads_v5", + "Standard_EC48as_v5", + "Standard_EC64ads_v5", + "Standard_EC64as_v5", + "Standard_EC96ads_v5", + "Standard_EC96as_v5", + "Standard_EC96iads_v5", + "Standard_EC96ias_v5" + ] + }, + "effect": { + "value": "Deny" + }, + "listOfAllowedLocations": { + "value": [] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/03de05a4-c324-4ccd-882f-a814ea8ab9ea", + "scope": null, + "enforcementMode": "Default" + }, + "location": null, + "identity": { + "type": "None" + } +} \ No newline at end of file diff --git a/platform/fsi/policy_assignments/re_01_zonal_residency.alz_policy_assignment.json b/platform/fsi/policy_assignments/re_01_zonal_residency.alz_policy_assignment.json new file mode 100644 index 0000000..1eed013 --- /dev/null +++ b/platform/fsi/policy_assignments/re_01_zonal_residency.alz_policy_assignment.json @@ -0,0 +1,23 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "RE-01-Zonal-Residency", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "The customer must ensure multi-region and active-active resiliency across all workloads.", + "displayName": "RE-01-Zonal-Residency", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5", + "enforcementMode": "Default", + "parameters": { + "allow": { + "value": "Both" + } + }, + "scope": "/providers/Microsoft.Management/managementGroups/placeholder", + "notScopes": [] + } +} \ No newline at end of file diff --git a/platform/fsi/policy_assignments/so_01_data_residency.alz_policy_assignment.json b/platform/fsi/policy_assignments/so_01_data_residency.alz_policy_assignment.json new file mode 100644 index 0000000..d69dbfd --- /dev/null +++ b/platform/fsi/policy_assignments/so_01_data_residency.alz_policy_assignment.json @@ -0,0 +1,26 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "SO-01-Data-Residency", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Customer data must be stored and processed entirely in data centers that reside in approved geopolitical regions based upon customer-defined requirements.", + "displayName": "SO-01-Data-Residency", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/d22ea5a9-2a46-4f25-8d11-e8ef42769e46", + "enforcementMode": "Default", + "parameters": { + "listOfAllowedLocations-1": { + "value": [] + }, + "policyEffect-1": { + "value": "Deny" + } + }, + "scope": "/providers/Microsoft.Management/managementGroups/placeholder", + "notScopes": [] + } +} \ No newline at end of file diff --git a/platform/fsi/policy_assignments/so_04_cmk.alz_policy_assignment.json b/platform/fsi/policy_assignments/so_04_cmk.alz_policy_assignment.json new file mode 100644 index 0000000..e51698c --- /dev/null +++ b/platform/fsi/policy_assignments/so_04_cmk.alz_policy_assignment.json @@ -0,0 +1,23 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "SO-04-CMK", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "The customer must have exclusive control over deciding which identities can access keys used to decrypt customer-defined sensitive data.", + "displayName": "SO-04-CMK", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/50e4abe0-fc74-4546-9bd4-070ad748670b", + "enforcementMode": "Default", + "parameters": { + "enableDoubleEncryption-1": { + "value": false + } + }, + "scope": "/providers/Microsoft.Management/managementGroups/placeholder", + "notScopes": [] + } +} \ No newline at end of file diff --git a/platform/fsi/policy_assignments/tr_01_logging.alz_policy_assignment.json b/platform/fsi/policy_assignments/tr_01_logging.alz_policy_assignment.json new file mode 100644 index 0000000..0a4471c --- /dev/null +++ b/platform/fsi/policy_assignments/tr_01_logging.alz_policy_assignment.json @@ -0,0 +1,23 @@ +{ + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2022-06-01", + "name": "TR-01-Logging", + "location": "${default_location}", + "dependsOn": [], + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Customer must have visibility into deep information about what has happened in their environment (You can get it for diagnostic not for Operator settings)", + "displayName": "TR-01-Logging", + "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038", + "enforcementMode": "Default", + "parameters": { + "logAnalytics": { + "value": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/placeholder/providers/Microsoft.OperationalInsights/workspaces/placeholder" + } + }, + "scope": "/providers/Microsoft.Management/managementGroups/placeholder", + "notScopes": [] + } +} \ No newline at end of file diff --git a/platform/fsi/policy_definitions/.gitignore b/platform/fsi/policy_definitions/.gitignore new file mode 100644 index 0000000..133e542 --- /dev/null +++ b/platform/fsi/policy_definitions/.gitignore @@ -0,0 +1,6 @@ +# adding .gitignore to maintain lib folder structure, remove after adding files to the folder +# Ignore all files in this dir... +* + +# ... except for this one. +!.gitignore \ No newline at end of file diff --git a/platform/fsi/policy_set_definitions/SO-01-Data-Residency.alz_policy_set_definition.json b/platform/fsi/policy_set_definitions/SO-01-Data-Residency.alz_policy_set_definition.json new file mode 100644 index 0000000..a6a262f --- /dev/null +++ b/platform/fsi/policy_set_definitions/SO-01-Data-Residency.alz_policy_set_definition.json @@ -0,0 +1,93 @@ +{ + "properties": { + "displayName": "SO 01-Data-Residency", + "policyType": "Custom", + "description": "Customer data must be stored and processed entirely in data centers that reside in approved geopolitical regions based upon customer-defined requirements.", + "metadata": { + "category": "Regulatory Compliance", + "version": "1.0.0-preview", + "preview": true + }, + "version": "1.0.0", + "policyDefinitionGroups": [ + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/SO_01_Data_Residency_Data_Residency_SO_01", + "description": "Customer data must be stored and processed entirely in data centers that reside in approved geopolitical regions based upon customer-defined requirements.", + "category": "Data Residency", + "name": "SO_01_Data_Residency_Data_Residency_SO_01" + } + ], + "parameters": { + "listOfAllowedLocations-1": { + "type": "Array", + "metadata": { + "description": "The list of locations that can be specified when deploying resources.", + "strongType": "location", + "displayName": "Allowed locations" + } + }, + "policyEffect-1": { + "type": "String", + "metadata": { + "displayName": "Policy Effect", + "description": "The desired effect of the policy." + }, + "allowedValues": [ + "audit", + "Audit", + "deny", + "Deny", + "disabled", + "Disabled" + ], + "defaultValue": "Deny" + } + }, + "policyDefinitions": [ + { + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('listOfAllowedLocations-1')]" + } + }, + "groupNames": [ + "SO_01_Data_Residency_Data_Residency_SO_01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "Allowed locations" + }, + { + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('listOfAllowedLocations-1')]" + } + }, + "groupNames": [ + "SO_01_Data_Residency_Data_Residency_SO_01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "Allowed locations for resource groups" + }, + { + "parameters": { + "listOfAllowedLocations": { + "value": "[parameters('listOfAllowedLocations-1')]" + }, + "policyEffect": { + "value": "[parameters('policyEffect-1')]" + } + }, + "groupNames": [ + "SO_01_Data_Residency_Data_Residency_SO_01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0473574d-2d43-4217-aefe-941fcdf7e684", + "definitionVersion": "1.*.*", + "policyDefinitionReferenceId": "Azure Cosmos DB allowed locations" + } + ] + }, + "id": "/providers/Microsoft.Authorization/policySetDefinitions/d22ea5a9-2a46-4f25-8d11-e8ef42769e46", + "name": "d22ea5a9-2a46-4f25-8d11-e8ef42769e46" +} \ No newline at end of file diff --git a/platform/fsi/policy_set_definitions/SO-04-CMK.alz_policy_set_definition.json b/platform/fsi/policy_set_definitions/SO-04-CMK.alz_policy_set_definition.json new file mode 100644 index 0000000..a613c14 --- /dev/null +++ b/platform/fsi/policy_set_definitions/SO-04-CMK.alz_policy_set_definition.json @@ -0,0 +1,147 @@ +{ + "properties": { + "displayName": "SO 04-CMK", + "policyType": "Custom", + "description": "The customer must have exclusive control over deciding which identities can access keys used to decrypt customer-defined sensitive data.", + "metadata": { + "category": "Regulatory Compliance", + "version": "1.0.0-preview", + "preview": true + }, + "version": "1.0.0", + "policyDefinitionGroups": [ + { + "name": "SO_04_CMK_Customer_Managed_Keys_SO_04", + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/SO_04_CMK_Customer_Managed_Keys_SO_04", + "category": "Customer Managed Keys", + "description": "[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data" + } + ], + "parameters": { + "enableDoubleEncryption-1": { + "type": "Boolean", + "metadata": { + "displayName": "Double encryption should be enabled on Recovery Services vaults for Backup", + "description": "Check if double encryption is enabled on Recovery Services vaults for Backup. For more details refer to https://aka.ms/AB-InfraEncryption." + }, + "defaultValue": false + } + }, + "policyDefinitions": [ + { + "definitionVersion": "1.*.*-preview", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": { + "enableDoubleEncryption": { + "value": "[parameters('enableDoubleEncryption-1')]" + } + }, + "policyDefinitionReferenceId": "[Preview]: Azure Recovery Services vaults should use customer-managed keys for encrypting backup data" + }, + { + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys" + }, + { + "definitionVersion": "2.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/970f84d8-71b6-4091-9979-ace7e3fb6dbb", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "HPC Cache accounts should use customer-managed key for encryption" + }, + { + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "Managed disks should be double encrypted with both platform-managed and customer-managed keys" + }, + { + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "MySQL servers should use customer-managed keys to encrypt data at rest" + }, + { + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "PostgreSQL servers should use customer-managed keys to encrypt data at rest" + }, + { + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "Queue Storage should use customer-managed key for encryption" + }, + { + "definitionVersion": "2.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "SQL managed instances should use customer-managed keys to encrypt data at rest" + }, + { + "definitionVersion": "2.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "SQL servers should use customer-managed keys to encrypt data at rest" + }, + { + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "Storage account encryption scopes should use customer-managed keys to encrypt data at rest" + }, + { + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "Storage accounts should use customer-managed key for encryption" + }, + { + "definitionVersion": "1.*.*", + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688", + "groupNames": [ + "SO_04_CMK_Customer_Managed_Keys_SO_04" + ], + "parameters": {}, + "policyDefinitionReferenceId": "Table Storage should use customer-managed key for encryption" + } + ] + }, + "id": "/providers/Microsoft.Authorization/policySetDefinitions/50e4abe0-fc74-4546-9bd4-070ad748670b", + "name": "50e4abe0-fc74-4546-9bd4-070ad748670b" +} \ No newline at end of file diff --git a/platform/fsi/role_definitions/.gitignore b/platform/fsi/role_definitions/.gitignore new file mode 100644 index 0000000..133e542 --- /dev/null +++ b/platform/fsi/role_definitions/.gitignore @@ -0,0 +1,6 @@ +# adding .gitignore to maintain lib folder structure, remove after adding files to the folder +# Ignore all files in this dir... +* + +# ... except for this one. +!.gitignore \ No newline at end of file