Policies must be implemented

[marvinbuss]

Missing Policies:

• Create DNS A records
• Create retention policies for SQL DB etc.
• Share SHIR
• SQL Auditing settings (Azure SQL, Synapse, etc.)
• Azure Defender for SQL (Azure SQL, Synapse, etc.)
• Azure Synapse encryption with cmk
• Storage encryption with cmk
• AML encryption with cmk
• TDE synapse SQL pools
• Append to deploy for managedIdentitySqlControlSettings
• dataFlowProperties and other computeProperties for Microsoft.Synapse/workspaces/integrationRuntimes/Managed.typeProperties.
• Databricks: requireInfrastructureEncryption, prepareEncryption, encryption, ...
• Cosmos Network settings: IPs and virtual networks --> only PEs
• Cosmos Customer managed Keys
  ...

[marvinbuss]

• Microsoft.KeyVault/vaults/enablePurgeProtection
• Microsoft.KeyVault/vaults/enableSoftDelete
• Microsoft.KeyVault/vaults/softDeleteRetentionInDays
• Microsoft.KeyVault/vaults/enableRbacAuthorization

diags for

• nsg - DONE
• route tables - DONE

network

• nsg - DONE
• routetable - DONE

[marvinbuss]

Work on:

• Deny-DataFactory-LinkedServicesConnectionStringType
• Deny-DataFactoryIntegration-vNetProperties
• Deny-PrivateEndpoint-ManualPrivateLinkServiceConnections
• Managed virtual network enforced for integration runtimes: Reached out to PG to get clarification on current limitations

Might also require policies for the following alias:

• Microsoft.EventHub/namespaces/ipFilterRules/ipMask
• Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId

Contact SQL PG regarding:

• Microsoft.Sql/managedInstances/azureADOnlyAuthentications alias

• Azure Backup has alias vault for Private Endpoints, which is equal to Key Vault.

• Work on denying private endpoints in Stream Analytics from different tenants

• Work on Customer Encryption Keys

[marvinbuss]

Services completed:

• Key Vault
• Synapse
• Machine Learning
• Purview
• Databricks
• Storage
• Search
• Cognitive Services
• Private Endpoints
• Log Analytics
• Private DNS Zones
• Data Factory
• Public IP
• Private Link Services For Power BI
• Synapse Private Link Hub
• SQL Server
• SQL Managed Instance
• SQL Instance Pools
• Cosmos DB
• Azure Batch
• Container Instance
• Postgres SQL
• Stream Analytics
• TimeSeriesInsights
• ContainerRegistry
• EventHub
• HDInsight
• IotHubs
• Kusto
• Logic Apps
• DBforMariaDB
• MySql

[marvinbuss]

To Do:

• Audit rules for private endpoints for each service
• Deny Portal deployment for cognitive services and general cognitive services
• AKS
• Validate not-working policies again (Batch, HD Insight, Data Explorer)
• Synapse Purview connection
• Private DNS for batch: Multiple regions
• Redis Cache
• AML Compute - Idle Time before scaledown