-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from Azure/sdubeymsft/dev
Adding sample blueprint artifacts for creating initial zero trust arc…
- Loading branch information
Showing
30 changed files
with
4,823 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| # Instructions | ||
|
|
||
| Following are the instructions to deploy artifacts included in the package, they may include- | ||
| * Azure Policy and Policy Set assignments | ||
| * Azure RBAC assignments | ||
| * Resource Groups and Resources | ||
|
|
||
| ### Prerequisites | ||
| 1. An Azure Subscription (this is where audit policies and deployments will be implemented against.) | ||
| 2. Owner level permissions on the management group and subscription. | ||
| 3. (Optional) ManagementGroupID of the Management group where subscription. | ||
| 4. All the files in current and sub directories. | ||
|
|
||
|
|
||
| ## Method 1- Azure Blueprint | ||
|
|
||
| Use this method if Azure Blueprint engine **is available** in targeted Azure Cloud environment and is desired framework for managing policy assignments and resource deployments. More on Azure Blueprints can be found [here](https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/lifecycle). | ||
|
|
||
| In order to customize and assign Blueprint we first need to import it into Azure Subscription, following instructions in one of two options to do so. | ||
|
|
||
| ### Import via Azure CloudShell | ||
|
|
||
| > [!TIP] | ||
| > Alternatively you can execute same steps via PowerShell shell (min version 7.0.0) installed on local computer by connecting to target Azure Cloud environment and Subscription context. [Learn how to](https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.6.1) | ||
|
|
||
| 1. Open Cloud Shell on the Azure portal. [Learn how to](https://azure.microsoft.com/en-us/features/cloud-shell/) | ||
|
|
||
| 2. Launch PowerShell in the Azure CloudShell. [Learn how to](https://docs.microsoft.com/en-us/azure/cloud-shell/overview) | ||
| > [!NOTE] | ||
| > If you don't have any storage mounted, Azure CloudShell requires an Azure file share to persist files. This will create a new storage account. Click "Create Storage". | ||
| 4. Run following command to clone the Azure ato-toolkit repository to clouddrive. | ||
| ```powershell | ||
| git clone https://github.com/Azure/ato-toolkit.git $HOME/clouddrive | ||
| ``` | ||
| > [!TIP] | ||
| > Run `dir $HOME/clouddrive` to verify content of directory. | ||
| 4. Run following command import artifacts as Blueprint and save it within the specified subscription or management group. | ||
| ```powershell | ||
| Import-AzBlueprintWithArtifact -Name 'YourBlueprintName' -SubscriptionId '00000000-1111-0000-1111-000000000000' -InputPath '$HOME/clouddrive/ato-toolkit/automation/zero-trust-architecture/blueprint' | ||
| ``` | ||
| > [!NOTE] | ||
| > The input path must point to the folder where blueprint.json file is placed. | ||
| 5. From Azure Portal, browse to Azure Blueprint service tab and select "Blueprint definitions". You can review newly imported Blueprint in there and follow instructions to edit, publish and assign blueprint. [Learn how to](https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal#edit-a-blueprint) | ||
| ## Method 2- Azure PowerShell | ||
| Use this method if Azure Blueprint engine **is not available** in targeted Azure Cloud environment or is not a preferred framework for managing policy assignments and resource deployments. More on Azure PowerShell can be found [here](https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.6.1). | ||
| > [!WARNING] | ||
| > This is work in progress. Send feedback by creating issue. |
Binary file not shown.
16 changes: 16 additions & 0 deletions
16
...ion/zero-trust-architecture/blueprint/artifacts/05088c37-2381-4674-aa64-d3022d3839e9.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3", | ||
| "parameters": { | ||
| "listOfAllowedSKUs": { | ||
| "value": "[parameters('listOfAllowedVirtualMachineSKUs')]" | ||
| } | ||
| }, | ||
| "dependsOn": [], | ||
| "displayName": "Allowed virtual machine SKUs" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/05088c37-2381-4674-aa64-d3022d3839e9", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "05088c37-2381-4674-aa64-d3022d3839e9" | ||
| } |
16 changes: 16 additions & 0 deletions
16
...ion/zero-trust-architecture/blueprint/artifacts/05af2b76-44e5-40c7-a400-2bf814c90331.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a", | ||
| "parameters": { | ||
|
|
||
| }, | ||
| "dependsOn": [ | ||
|
|
||
| ], | ||
| "displayName": "Enforce automatic OS upgrade with app health checks on VMSS" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/05af2b76-44e5-40c7-a400-2bf814c90331", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "05af2b76-44e5-40c7-a400-2bf814c90331" | ||
| } |
19 changes: 19 additions & 0 deletions
19
...ion/zero-trust-architecture/blueprint/artifacts/0d369266-ba61-408f-9224-b59407dd9219.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77", | ||
| "parameters": { | ||
| "logAnalytics": { | ||
| "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('organization'), '-sharedsvcs-log-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('organization'), '-sharedsvcs-log'))]" | ||
| }, | ||
| "listOfImageIdToInclude": { | ||
| "value": "[parameters('deployLogAnalyticsAgentforLinuxVMs_listOfImageIdToInclude')]" | ||
| } | ||
| }, | ||
| "dependsOn": [], | ||
| "displayName": "[Preview]: Deploy Log Analytics Agent for Linux VMs" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/0d369266-ba61-408f-9224-b59407dd9219", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "0d369266-ba61-408f-9224-b59407dd9219" | ||
| } |
19 changes: 19 additions & 0 deletions
19
...ion/zero-trust-architecture/blueprint/artifacts/15b2256e-6e50-497e-8c7b-12908ea3bcec.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038", | ||
| "parameters": { | ||
| "logAnalytics": { | ||
| "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('organization'),'-sharedsvcs-log-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('organization'), '-sharedsvcs-log'))]" | ||
| }, | ||
| "listOfImageIdToInclude": { | ||
| "value": "[parameters('deployLogAnalyticsAgentforWindowsVMScaleSets_listOfImageIdToInclude')]" | ||
| } | ||
| }, | ||
| "dependsOn": [], | ||
| "displayName": "[Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/15b2256e-6e50-497e-8c7b-12908ea3bcec", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "15b2256e-6e50-497e-8c7b-12908ea3bcec" | ||
| } |
16 changes: 16 additions & 0 deletions
16
...ion/zero-trust-architecture/blueprint/artifacts/17932dfa-ef41-4773-bb3f-6d47ec231862.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1", | ||
| "parameters": { | ||
| "listOfAllowedSKUs": { | ||
| "value": "[parameters('listOfAllowedStorageSKUs')]" | ||
| } | ||
| }, | ||
| "dependsOn": [], | ||
| "displayName": "Allowed storage account SKUs" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/17932dfa-ef41-4773-bb3f-6d47ec231862", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "17932dfa-ef41-4773-bb3f-6d47ec231862" | ||
| } |
16 changes: 16 additions & 0 deletions
16
...ion/zero-trust-architecture/blueprint/artifacts/2fa4484f-856a-412f-8f6b-4dbe43ece14e.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f", | ||
| "parameters": { | ||
|
|
||
| }, | ||
| "dependsOn": [ | ||
|
|
||
| ], | ||
| "displayName": "Require blob encryption for storage accounts" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/2fa4484f-856a-412f-8f6b-4dbe43ece14e", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "2fa4484f-856a-412f-8f6b-4dbe43ece14e" | ||
| } |
16 changes: 16 additions & 0 deletions
16
...ion/zero-trust-architecture/blueprint/artifacts/3bcbd39e-142f-438c-8d60-bf1e7a7a646d.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", | ||
| "parameters": { | ||
|
|
||
| }, | ||
| "dependsOn": [ | ||
|
|
||
| ], | ||
| "displayName": "Deploy SQL DB transparent data encryption" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/3bcbd39e-142f-438c-8d60-bf1e7a7a646d", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "3bcbd39e-142f-438c-8d60-bf1e7a7a646d" | ||
| } |
19 changes: 19 additions & 0 deletions
19
...ion/zero-trust-architecture/blueprint/artifacts/758c7b68-2444-44ef-8b96-88697b685ac0.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c", | ||
| "parameters": { | ||
| "logAnalytics": { | ||
| "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('organization'),'-sharedsvcs-log-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('organization'), '-sharedsvcs-log'))]" | ||
| }, | ||
| "listOfImageIdToInclude": { | ||
| "value": "[parameters('deployLogAnalyticsAgentforWindowsVMs_listOfImageIdToInclude')]" | ||
| } | ||
| }, | ||
| "dependsOn": [], | ||
| "displayName": "[Preview]: Deploy Log Analytics Agent for Windows VMs" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/758c7b68-2444-44ef-8b96-88697b685ac0", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "758c7b68-2444-44ef-8b96-88697b685ac0" | ||
| } |
16 changes: 16 additions & 0 deletions
16
...ion/zero-trust-architecture/blueprint/artifacts/86379ec5-5137-4be8-924a-fdac61206823.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", | ||
| "parameters": { | ||
|
|
||
| }, | ||
| "dependsOn": [ | ||
|
|
||
| ], | ||
| "displayName": "Deploy Threat Detection on SQL servers" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/86379ec5-5137-4be8-924a-fdac61206823", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "86379ec5-5137-4be8-924a-fdac61206823" | ||
| } |
36 changes: 36 additions & 0 deletions
36
...ion/zero-trust-architecture/blueprint/artifacts/939c6f4a-da98-4c2e-9d87-ba25bb8f0c23.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| { | ||
| "properties": { | ||
| "template": { | ||
| "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.1", | ||
| "variables": { | ||
|
|
||
| }, | ||
| "resources": [ | ||
| { | ||
| "type": "Microsoft.Security/pricings", | ||
| "apiVersion": "2017-08-01-preview", | ||
| "name": "default", | ||
| "properties": { | ||
| "pricingTier": "Standard" | ||
| } | ||
| } | ||
| ], | ||
| "outputs": { | ||
|
|
||
| } | ||
| }, | ||
| "parameters": { | ||
|
|
||
| }, | ||
| "dependsOn": [ | ||
|
|
||
| ], | ||
| "displayName": "Azure Security Center template", | ||
| "description": "" | ||
| }, | ||
| "kind": "template", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/939c6f4a-da98-4c2e-9d87-ba25bb8f0c23", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "939c6f4a-da98-4c2e-9d87-ba25bb8f0c23" | ||
| } |
16 changes: 16 additions & 0 deletions
16
...ion/zero-trust-architecture/blueprint/artifacts/94bd9371-83e9-4d50-97e8-58449465e4cf.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/89c6cddc-1c73-4ac1-b19c-54d1a15a42f2", | ||
| "parameters": { | ||
| "listOfResourceTypesWithDiagnosticLogsEnabled": { | ||
| "value": "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]" | ||
| } | ||
| }, | ||
| "dependsOn": [], | ||
| "displayName": "[Preview]: Audit ISO 27001:2013 controls and deploy specific VM Extensions to support audit requirements" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/94bd9371-83e9-4d50-97e8-58449465e4cf", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "94bd9371-83e9-4d50-97e8-58449465e4cf" | ||
| } |
16 changes: 16 additions & 0 deletions
16
...ion/zero-trust-architecture/blueprint/artifacts/9f359831-fbfd-456d-ac61-7a949d067a55.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc", | ||
| "parameters": { | ||
|
|
||
| }, | ||
| "dependsOn": [ | ||
|
|
||
| ], | ||
| "displayName": "Deploy default Microsoft IaaSAntimalware extension for Windows Server" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/9f359831-fbfd-456d-ac61-7a949d067a55", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "9f359831-fbfd-456d-ac61-7a949d067a55" | ||
| } |
16 changes: 16 additions & 0 deletions
16
...ion/zero-trust-architecture/blueprint/artifacts/a0601552-2ed7-439f-a2f2-104130d3a20f.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9", | ||
| "parameters": { | ||
|
|
||
| }, | ||
| "dependsOn": [ | ||
|
|
||
| ], | ||
| "displayName": "Deploy network watcher when virtual networks are created" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/a0601552-2ed7-439f-a2f2-104130d3a20f", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "a0601552-2ed7-439f-a2f2-104130d3a20f" | ||
| } |
16 changes: 16 additions & 0 deletions
16
...ion/zero-trust-architecture/blueprint/artifacts/a76b04dc-bab8-4e73-9968-be509cfa88b6.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "properties": { | ||
| "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", | ||
| "parameters": { | ||
|
|
||
| }, | ||
| "dependsOn": [ | ||
|
|
||
| ], | ||
| "displayName": "Deploy Advanced Data Security on SQL servers" | ||
| }, | ||
| "kind": "policyAssignment", | ||
| "id": "/providers/Microsoft.Blueprint/blueprints/Zero_Trust_Architecture/artifacts/a76b04dc-bab8-4e73-9968-be509cfa88b6", | ||
| "type": "Microsoft.Blueprint/blueprints/artifacts", | ||
| "name": "a76b04dc-bab8-4e73-9968-be509cfa88b6" | ||
| } |
Oops, something went wrong.