How to programmatically assign security standards on Defender for Cloud
Hi all, i would like to know if there is a way to programmatically (REST API, Terraform,...) activate custom secutity Standards on Defender for Cloud. Basically the step 6 on this guide https://learn.microsoft.com/en-us/azure/defender-for-cloud/update-regulatory-compliance-packages. I didn't found any way to do that. I have a policySet that i would like to activate in an automated way. Any ideas? Thank you in advance!New Blog | Leveraging Defender for Containers to simplify policy management for Kubernetes Clusters
Leveraging Defender for Containers to simplify policy management in your Kubernetes Clusters - Microsoft Community Hub A key part of Kubernetes security includes making sure the cluster is configured to industry and company best practices. This entails controlling what users can do on the cluster and blocking actions that don’t comply with pre-defined best practices. Out of the box, Kubernetes does not provide a mechanism to write and deploy fine grained policies required per your security and compliance mandates. As a result, you will probably leverage something like Gatekeeper along with https://www.openpolicyagent.org/docs/latest/. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-introduction protects your Kubernetes clusters by continuously assessing them to get visibility into misconfigurations and help mitigate identified threats. To get insight into the workload configuration on the cluster, the https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes is deployed as part of the Defender for Containers plan. The Azure Policy for Kubernetes extends the Gatekeeper v3 https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ for OPA. Gatekeeper is needed to check if the policy is correct before enforcing it. On Azure Kubernetes Service (AKS), it is deployed as an add-on. For Arc Enabled Kubernetes, which includes on-premises clusters and clusters hosted in Google Cloud or Amazon Web Services, it is deployed as an https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes. In this blog, we will go more into detail about how Azure Policy for Kubernetes, uses Gatekeeper with OPA in the Defender for Containers plan.assign default initiative not showing
Hi Trying to Creating default initiative, but its not showing under default (after several hours) When Assigning there's this notification: Creating initiative assignment succeeded Creating initiative assignment 'Azure Security Benchmark' in 'sub1' was successful. Please note that the assignment takes around 30 minutes to take effect.
[Solved] Azure Policy to check the networkAcls.ipRules configuration for a Storage Account
Hi all! I'm trying to configure a Policy, that I anticipated shouldn't be to tricky, but for some reason I have a hard time getting it to work... Edit: Started working out of nowhere a few minutes ago... Configuration is as follow "parameters": { "allowedIPAddress": { "type": "Array", "metadata": { "displayName": "Allowed IP Addresses", "description": "The list of allowed IP adresses for this resource." } } }, "policyRule": { "if": { "allOf": [ { "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules", "exists": "true" }, { "field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules[*].value", "notIn": "[parameters('allowedIPAddress')]" } ] }, "then": { "effect": "deny" } } According to the documentation at https://docs.microsoft.com/en-us/azure/governance/policy/how-to/author-policies-for-arrays this should work, right? Only difference I have from the examples is that I check an array instead. Just to add: I'm having a hard time getting the example code in the documentation to work also, so this might be a person problem Thanks!
