Skip to content

Commit 64a1e0d

Browse files
authored
Update to rules and docs Azure#2570 (Azure#2633)
* Update to rules and docs Azure#2570 * Additional updates
1 parent 1be5441 commit 64a1e0d

22 files changed

+477
-125
lines changed

.github/workflows/docs.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,8 @@ jobs:
5656

5757
- name: Build site
5858
run: mkdocs build
59+
with:
60+
MKDOCS_GIT_COMMITTERS_APIKEY: ${{ secrets.GITHUB_TOKEN }}
5961

6062
- name: Deploy
6163
uses: peaceiris/actions-gh-pages@v3

data/policy-ignore.json

+6-1
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
[
2+
// Azure.ACR.AdminUser
3+
"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2",
4+
"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759",
25
// Azure.SQL.AAD
36
"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9",
47
// Azure.ServiceFabric.AAD
@@ -27,5 +30,7 @@
2730
"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc",
2831
"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555",
2932
// Azure.Cognitive.ManagedIdentity
30-
"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418"
33+
"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418",
34+
// Azure.VM.UseManagedDisks
35+
"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
3136
]

docs/CHANGELOG-v1.md

+1
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@ What's changed since v1.32.1:
5454
- General improvements:
5555
- Quality updates to rules and documentation by @BernieWhite.
5656
[#1772](https://github.com/Azure/PSRule.Rules.Azure/issues/1772)
57+
[#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)
5758
- Engineering:
5859
- Bump xunit to v2.6.4.
5960
[#2618](https://github.com/Azure/PSRule.Rules.Azure/pull/2618)

docs/en/rules/Azure.ACR.AdminUser.md

+17-4
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
---
2-
reviewed: 2023-12-01
2+
reviewed: 2024-01-05
33
severity: Critical
44
pillar: Security
55
category: SE:05 Identity and access management
@@ -47,7 +47,7 @@ For example:
4747
```json
4848
{
4949
"type": "Microsoft.ContainerRegistry/registries",
50-
"apiVersion": "2023-08-01-preview",
50+
"apiVersion": "2023-07-01",
5151
"name": "[parameters('name')]",
5252
"location": "[parameters('location')]",
5353
"sku": {
@@ -81,7 +81,7 @@ To deploy registries that pass this rule:
8181
For example:
8282

8383
```bicep
84-
resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
84+
resource registry 'Microsoft.ContainerRegistry/registries@2023-07-01' = {
8585
name: name
8686
location: location
8787
sku: {
@@ -108,16 +108,29 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' =
108108

109109
### Configure with Azure CLI
110110

111+
To configure registries that pass this rule:
112+
111113
```bash
112-
az acr update --admin-enabled false -n '<name>' -g '<resource_group>'
114+
az acr update -n '<name>' -g '<resource_group>' --admin-enabled false
113115
```
114116

115117
### Configure with Azure PowerShell
116118

119+
To configure registries that pass this rule:
120+
117121
```powershell
118122
Update-AzContainerRegistry -ResourceGroupName '<resource_group>' -Name '<name>' -DisableAdminUser
119123
```
120124

125+
### Configure with Azure Policy
126+
127+
To address this issue at runtime use the following policies:
128+
129+
- [Container registries should have local admin account disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AdminAccountDisabled_AuditDeny.json)
130+
`/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2`.
131+
- [Configure container registries to disable local admin account](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_AdminAccountDisabled_Modify.json)
132+
`/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759`.
133+
121134
## LINKS
122135

123136
- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)

docs/en/rules/Azure.ACR.AnonymousAccess.md

+54-10
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ Consider disabling anonymous pull access in scenarios that require user authenti
3030

3131
### Configure with Azure template
3232

33-
To deploy Azure Container Registries that pass this rule:
33+
To deploy registries that pass this rule:
3434

3535
- Set the `properties.anonymousPullEnabled` property to `false`.
3636

@@ -39,43 +39,87 @@ For example:
3939
```json
4040
{
4141
"type": "Microsoft.ContainerRegistry/registries",
42-
"apiVersion": "2023-01-01-preview",
43-
"name": "[parameters('registryName')]",
42+
"apiVersion": "2023-08-01-preview",
43+
"name": "[parameters('name')]",
4444
"location": "[parameters('location')]",
4545
"sku": {
46-
"name": "Standard"
46+
"name": "Premium"
47+
},
48+
"identity": {
49+
"type": "SystemAssigned"
4750
},
4851
"properties": {
49-
"anonymousPullEnabled": false
52+
"adminUserEnabled": false,
53+
"anonymousPullEnabled": false,
54+
"policies": {
55+
"quarantinePolicy": {
56+
"status": "enabled"
57+
},
58+
"trustPolicy": {
59+
"status": "enabled",
60+
"type": "Notary"
61+
},
62+
"retentionPolicy": {
63+
"days": 30,
64+
"status": "enabled"
65+
},
66+
"softDeletePolicy": {
67+
"retentionDays": 90,
68+
"status": "enabled"
69+
}
70+
}
5071
}
5172
}
5273
```
5374

5475
### Configure with Bicep
5576

56-
To deploy Azure Container Registries that pass this rule:
77+
To deploy registries that pass this rule:
5778

5879
- Set the `properties.anonymousPullEnabled` property to `false`.
5980

6081
For example:
6182

6283
```bicep
63-
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = {
64-
name: registryName
84+
resource registry 'Microsoft.ContainerRegistry/registries@2023-08-01-preview' = {
85+
name: name
6586
location: location
6687
sku: {
67-
name: 'Standard'
88+
name: 'Premium'
89+
}
90+
identity: {
91+
type: 'SystemAssigned'
6892
}
6993
properties: {
94+
adminUserEnabled: false
7095
anonymousPullEnabled: false
96+
policies: {
97+
quarantinePolicy: {
98+
status: 'enabled'
99+
}
100+
trustPolicy: {
101+
status: 'enabled'
102+
type: 'Notary'
103+
}
104+
retentionPolicy: {
105+
days: 30
106+
status: 'enabled'
107+
}
108+
softDeletePolicy: {
109+
retentionDays: 90
110+
status: 'enabled'
111+
}
112+
}
71113
}
72114
}
73115
```
74116

75117
### Configure with Azure CLI
76118

119+
To configure registries that pass this rule:
120+
77121
```bash
78-
az acr update --name myregistry --anonymous-pull-enabled false
122+
az acr update -n '<name>' -g '<resource_group>' --anonymous-pull-enabled false
79123
```
80124

81125
## NOTES

docs/en/rules/Azure.ADX.ManagedIdentity.md

+7-6
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
reviewed: 2022-05-14
33
severity: Important
44
pillar: Security
5-
category: Authentication
5+
category: SE:05 Identity and access management
66
resource: Data Explorer
77
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ADX.ManagedIdentity/
88
---
@@ -88,8 +88,9 @@ resource adx 'Microsoft.Kusto/clusters@2021-08-27' = {
8888

8989
## LINKS
9090

91-
- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
92-
- [Managed identities overview](https://docs.microsoft.com/azure/data-explorer/managed-identities-overview)
93-
- [Configure managed identities for your Azure Data Explorer cluster](https://docs.microsoft.com/azure/data-explorer/configure-managed-identities-cluster)
94-
- [Managed identities for Azure resources](https://docs.microsoft.com/azure/data-explorer/security#managed-identities-for-azure-resources)
95-
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.kusto/clusters)
91+
- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#resource-identity)
92+
- [What are managed identities for Azure resources?](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
93+
- [Managed identities overview](https://learn.microsoft.com/azure/data-explorer/managed-identities-overview)
94+
- [Configure managed identities for your Azure Data Explorer cluster](https://learn.microsoft.com/azure/data-explorer/configure-managed-identities-cluster)
95+
- [Managed identities for Azure resources](https://learn.microsoft.com/azure/data-explorer/security#managed-identities-for-azure-resources)
96+
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.kusto/clusters)

docs/en/rules/Azure.AKS.ManagedIdentity.md

+5-5
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
severity: Important
33
pillar: Security
4-
category: Authentication
4+
category: SE:05 Identity and access management
55
resource: Azure Kubernetes Service
66
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.ManagedIdentity/
77
---
@@ -42,7 +42,7 @@ AKS clusters can not be updated to use managed identities for cluster infrastruc
4242

4343
## LINKS
4444

45-
- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
46-
- [Use managed identities in Azure Kubernetes Service](https://docs.microsoft.com/azure/aks/use-managed-identity)
47-
- [What are managed identities for Azure resources?](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)
48-
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)
45+
- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#resource-identity)
46+
- [What are managed identities for Azure resources?](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
47+
- [Use managed identities in Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/use-managed-identity)
48+
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)

docs/en/rules/Azure.APIM.ManagedIdentity.md

+3-2
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
reviewed: 2023-03-05
33
severity: Important
44
pillar: Security
5-
category: Authentication
5+
category: SE:05 Identity and access management
66
resource: API Management
77
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.ManagedIdentity/
88
---
@@ -123,7 +123,8 @@ resource service 'Microsoft.ApiManagement/service@2021-08-01' = {
123123

124124
## LINKS
125125

126-
- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
126+
- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#resource-identity)
127+
- [What are managed identities for Azure resources?](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview)
127128
- [Use managed identities in Azure API Management](https://learn.microsoft.com/azure/api-management/api-management-howto-use-managed-service-identity)
128129
- [Authenticate with managed identity](https://learn.microsoft.com/azure/api-management/api-management-policies#authentication-policies)
129130
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.apimanagement/service)

docs/en/rules/Azure.AppService.ManagedIdentity.md

+3-3
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
severity: Important
33
pillar: Security
4-
category: Authentication
4+
category: SE:05 Identity and access management
55
resource: App Service
66
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AppService.ManagedIdentity/
77
---
@@ -102,8 +102,8 @@ resource webApp 'Microsoft.Web/sites@2021-02-01' = {
102102

103103
## LINKS
104104

105-
- [Use identity-based authentication](https://learn.microsoft.com/azure/well-architected/security/design-identity-authentication#use-identity-based-authentication)
105+
- [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access#resource-identity)
106106
- [What are managed identities for Azure resources?](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)
107107
- [Tutorial: Secure Azure SQL Database connection from App Service using a managed identity](https://docs.microsoft.com/azure/app-service/app-service-web-tutorial-connect-msi)
108108
- [How to use managed identities for App Service and Azure Functions](https://docs.microsoft.com/azure/app-service/overview-managed-identity?tabs=dotnet)
109-
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.web/sites#managedserviceidentity-object)
109+
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.web/sites)

docs/en/rules/Azure.Cognitive.ManagedIdentity.md

+2-3
Original file line numberDiff line numberDiff line change
@@ -97,9 +97,8 @@ resource language 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
9797

9898
To address this issue at runtime use the following policies:
9999

100-
```text
101-
/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418
102-
```
100+
- [Cognitive Services accounts should use a managed identity](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_ManagedIdentity_Audit.json)
101+
`/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418`.
103102

104103
## NOTES
105104

docs/en/rules/Azure.FrontDoor.State.md

+2-2
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
reviewed: 2023-02-18
33
severity: Important
44
pillar: Cost Optimization
5-
category: Optimize
5+
category: CO:14 Consolidation
66
resource: Front Door
77
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.FrontDoor.State/
88
---
@@ -77,5 +77,5 @@ resource afd_classic 'Microsoft.Network/frontDoors@2021-06-01' = {
7777

7878
## LINKS
7979

80-
- [Design review checklist for Cost Optimization](https://learn.microsoft.com/azure/well-architected/cost-optimization/checklist)
80+
- [CO:14 Consolidation](https://learn.microsoft.com/azure/well-architected/cost-optimization/consolidation)
8181
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.network/frontdoors)

docs/en/rules/Azure.ML.ComputeIdleShutdown.md

+2-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
reviewed: 2023-10-06
33
severity: Critical
44
pillar: Cost Optimization
5-
category: Provision
5+
category: CO:06 Usage and billing increments
66
resource: Machine Learning
77
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ML.ComputeIdleShutdown/
88
---
@@ -83,6 +83,7 @@ resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes
8383

8484
## LINKS
8585

86+
- [CO:06 Usage and billing increments](https://learn.microsoft.com/azure/well-architected/cost-optimization/align-usage-to-billing-increments)
8687
- [AI + Machine Learning cost estimates](https://learn.microsoft.com/azure/well-architected/cost/provision-ai-ml)
8788
- [Configure idle shutdown](https://learn.microsoft.com/azure/machine-learning/how-to-create-compute-instance#configure-idle-shutdown)
8889
- [ML Compute](https://learn.microsoft.com/azure/machine-learning/azure-machine-learning-glossary#compute)

0 commit comments

Comments
 (0)