diff --git a/azresources/security-center/asc.bicep b/azresources/security-center/asc.bicep index 102609fc..e5b3386f 100644 --- a/azresources/security-center/asc.bicep +++ b/azresources/security-center/asc.bicep @@ -50,6 +50,7 @@ var azureDefenderServices = [ 'Arm' 'AppServices' 'Containers' + 'CosmosDbs' 'Dns' 'KeyVaults' 'OpenSourceRelationalDatabases' diff --git a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json new file mode 100644 index 00000000..8ec9513c --- /dev/null +++ b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.config.json @@ -0,0 +1,4 @@ +{ + "name": "Configure Microsoft Defender for Cosmos DB to be enabled", + "mode": "all" +} \ No newline at end of file diff --git a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json new file mode 100644 index 00000000..e26bb99e --- /dev/null +++ b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.parameters.json @@ -0,0 +1,26 @@ +{ + "pricingTier": { + "type": "string", + "metadata": { + "displayName": "Azure Defender pricing tier", + "description": "Azure Defender pricing tier" + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "effect": { + "type": "string", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} \ No newline at end of file diff --git a/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json new file mode 100644 index 00000000..673ab77c --- /dev/null +++ b/policy/custom/definitions/policy/DefenderForCloud-Deploy-DefenderPlan-CosmosDB/azurepolicy.rules.json @@ -0,0 +1,69 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Security/pricings", + "name": "CosmosDbs", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "[parameters('pricingTier')]" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "canadacentral", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTier": { + "value": "[parameters('pricingTier')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTier": { + "type": "string", + "metadata": { + "description": "Azure Defender pricing tier" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "CosmosDbs", + "properties": { + "pricingTier": "[parameters('pricingTier')]" + } + } + ], + "outputs": {} + } + } + } + } + } +} \ No newline at end of file diff --git a/policy/custom/definitions/policyset/DefenderForCloud.bicep b/policy/custom/definitions/policyset/DefenderForCloud.bicep index eefaa96e..182a7514 100644 --- a/policy/custom/definitions/policyset/DefenderForCloud.bicep +++ b/policy/custom/definitions/policyset/DefenderForCloud.bicep @@ -9,6 +9,11 @@ targetScope = 'managementGroup' +@description('Management Group scope for the policy definition.') +param policyDefinitionManagementGroupId string + +var customPolicyDefinitionMgScope = tenantResourceId('Microsoft.Management/managementGroups', policyDefinitionManagementGroupId) + resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03-01' = { name: 'custom-enable-azure-defender' properties: { @@ -164,6 +169,14 @@ resource ascAzureDefender 'Microsoft.Authorization/policySetDefinitions@2020-03- policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Containers to be enabled', ' ', '-')) parameters: {} } + { + groupNames: [ + 'EXTRA' + ] + policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'DefenderForCloud-Deploy-DefenderPlan-CosmosDB') + policyDefinitionReferenceId: toLower(replace('Configure Microsoft Defender for Cosmos DB to be enabled', ' ', '-')) + parameters: {} + } ] } } diff --git a/policy/custom/definitions/policyset/DefenderForCloud.parameters.json b/policy/custom/definitions/policyset/DefenderForCloud.parameters.json index 1be78a2d..434f8920 100644 --- a/policy/custom/definitions/policyset/DefenderForCloud.parameters.json +++ b/policy/custom/definitions/policyset/DefenderForCloud.parameters.json @@ -1,5 +1,9 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", - "parameters": {} + "parameters": { + "policyDefinitionManagementGroupId": { + "value": "{{var-topLevelManagementGroupName}}" + } + } } \ No newline at end of file