Conversation
| }, | ||
| { | ||
| "properties": { | ||
| "displayName": "Encryption for storage services should be enforced for Storage Accounts", |
There was a problem hiding this comment.
How will this policy work in conjunction with /providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8 (encryption scopes should use CMK) which we are already including?
There was a problem hiding this comment.
This allows using different keys and key types for different scopes within a storage account. You could otherwise potentially rely on a CMK as a default option but the apply an encryption scope that uses a Microsoft-managed key to container001 and hence not rely on the CMK encryption.
...ns/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json
Outdated
Show resolved
Hide resolved
| }, | ||
| { | ||
| "properties": { | ||
| "displayName": "Public blob access should be restricted for Storage Accounts", |
There was a problem hiding this comment.
This seems redundant to /providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693 (Storage accounts should disable public network access) which we are including, no?
There was a problem hiding this comment.
The policy you mentioned cannot be used in a data context when relying on Databricks or Synapse. For these services, we have to rely on the Resource access rules feature, which is why I included all the other necessary policies to keep the environment as secure as possible.
I can remove it if you think it is redundant.
There was a problem hiding this comment.
Do you want me to remove all the related policy rules for now?
...ns/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json
Outdated
Show resolved
Hide resolved
...ns/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json
Outdated
Show resolved
Hide resolved
...ns/core/managementGroupTemplates/policyDefinitions/Compliant-StoragePolicySetDefinition.json
Outdated
Show resolved
Hide resolved
…oft/industry into marvinbuss/storage_policy
…oft/industry into marvinbuss/storage_policy
* wave #1 * adding AKS * added defender options * adding mySql and other minor updates * update * backup completeness * update + event grid * adding Azure Data Explorer * minor update * adding rbac * formatting * adding ARM template for compliant services * v2 refresh * optimizing dependency * adding policies * dns update * Update hubspoke-connectivity.json * Update industryArmV2.json * Update hubspoke-connectivity.json * Update fsiPortalV2.json * Update industryArmV2.json * adding EH for data export * Compliant network policySet * prevent ssh and rdp from internet to network * erDiag * updated data export with description * adding sub for ingress and egress * adding assignments * name lenght * updated KV and adding cosmosDb * more data stuff * removing 'db' * compliant events * aks + nw * Update Cognitive Services Policies (#370) Co-authored-by: Kristian Nese <kristian.nese@microsoft.com> * nw part 1 * network orchestration * sql policySet * adding sql, service bus, and postgre sql * adding sql assignment + storage def and assignment * updating condition * lenght * correcting params * Network Policies (#374) * Network Policies * Removing duplicate assignments --------- Co-authored-by: Kristian Nese <kristian.nese@microsoft.com> * adding synapse * update assignment name * param mapping * compliant corp lz * update condition * fixing url * converge on private DNS across verticals * compliant corp lz and modification to each vertical * updated compliant services * adding AVD * Centralized logging initiative * added diag to storage account * naming convention for storage * default identity sub behavior * Add Azure Storage Policies (#375) * Add Azure Storage Policies * Fix minor bug * Update type * Add policy for CORS rules * Add policy for CMK for encryption scopes * Remove policy for encryption scope * Update display name * Add list of allowed values for policy definition * Update policy for encryption * Add policy assignments * Removed policy for cross tenant PEs * Add missing parameters * Update mg name * update sequencing --------- Co-authored-by: Marvin Buss <34542414+marvinbuss@users.noreply.github.com> Co-authored-by: Uday Pandya <14359777+uday31in@users.noreply.github.com>
2 participants
Summary of the Pull Request
PR Checklist
Validation Steps Performed