Azure Secure Score auto remediation

%3CLINGO-SUB%20id%3D%22lingo-sub-1164539%22%20slang%3D%22en-US%22%3EAzure%20Secure%20Score%20auto%20remediation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164539%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20deploying%20DeployIfNotExist%20and%20Deny%20remediation%20scripts%20using%20this%20GitHub%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FRemediation%2520scripts%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERepo%3C%2FA%3E.%20Its%20an%20awesome%20repo%20of%20some%20of%20the%20main%20scripts%20that%20are%20simple%20non-impactful%20remediation%20deployments%20but%20I%20need%20more.%20I%20need%20a%20repo%20that%20has%20a%201x1%20comparison%20for%20any%20CIS%20benchmark%20or%20security%20center%20recommendation.%20I%20want%20to%20create%20a%20secure%20from%20the%20start%20approach%20once%20I%20have%20existing%20workloads%20remediated.%20A%20few%20examples%20are%20TLS%20version%2C%20HTTPS%2FPHP%2FPython%20version%2C%20disk%20encryption%2C%20managed%20disk%2C%20standard%20pricing%20ect%20ect.%20Some%20things%20should%20be%20default%20deny%20from%20the%20start.%20I'm%20in%20search%20for%20more%20automation%20and%20for%20more%20Deny%20or%20DeployIfNotExist%20polices%20as%20no%20one%20should%20deploy%20apps%20without%20SSL%20or%20deploy%20servers%20without%20encryption%20or%20management%20ports%20open%20to%20the%20internet.%20Is%20there%20a%20larger%20repo%20out%20there%20that%20contains%20a%201x1%20json%20policy%20for%20every%20CIS%20benchmark%20or%20ASC%20score%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1167680%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Secure%20Score%20auto%20remediation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1167680%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20sharing%20the%20Github%20repository.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20use%20ARM%20templates%20for%20deployment%20and%20DSC%20for%20configuration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20just%20started%20using%20Azure%20Security%20Center%2C%20and%20after%20we%20remediate%20a%20recommendation%2C%20we%20just%20update%20our%20ARM%20template%20so%20that%20future%20resources%20will%20include%20the%20recommendation%20by%20default.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

I'm deploying DeployIfNotExist and Deny remediation scripts using this GitHub Repo. Its an awesome repo of some of the main scripts that are simple non-impactful remediation deployments but I need more. I need a repo that has a 1x1 comparison for any CIS benchmark or security center recommendation. I want to create a secure from the start approach once I have existing workloads remediated. A few examples are TLS version, HTTPS/PHP/Python version, disk encryption, managed disk, standard pricing ect ect. Some things should be default deny from the start. I'm in search for more automation and for more Deny or DeployIfNotExist polices as no one should deploy apps without SSL or deploy servers without encryption or management ports open to the internet. Is there a larger repo out there that contains a 1x1 json policy for every CIS benchmark or ASC score?

1 Reply
Highlighted

Thanks for sharing the Github repository.

 

We use ARM templates for deployment and DSC for configuration.

 

We just started using Azure Security Center, and after we remediate a recommendation, we just update our ARM template so that future resources will include the recommendation by default.