Feature Request - Move Deny-PublicPaaSEndpoints to higher scope

[vegazbabz]

Related to #1560.

Consider moving “Public network access should be disabled for PaaS services" (Deny-PublicPaaSEndpoints) from Corp MG to intermediate root group. The resources under both Platform MG should also use TLS. Not all resources under Online MG should necessarily have a public endpoint.

From a security perspective, it does not make sense to only “protect” workloads in Corp MG. Organizations potentially have PaaS services in the Platform MG as well that should also use TLS v1.2 (v1.3). If not, no harm done by applying this policy to a higher scope. Better safe than sorry.

[jtracey93]

Hey @vegazbabz, so we are actually saying here to make a duplicate assignment of this policy to platform MG as well?

cc: @Springstone

[mundayn]

I agree this should be on Platform. I have had clients bypass restrictions in Platform due to this gap.

[vegazbabz]

Hey @vegazbabz, so we are actually saying here to make a duplicate assignment of this policy to platform MG as well?

cc: @Springstone

I am not a big fan of having duplicates of policy assignments. It quickly gets messy in larger environments. For me, this is applicable to every single resource under the intermediate root group. Consider creating an excluded scope for sandboxes MG.

[Springstone]

@vegazbabz It shouldn't make any difference, whether you cover additional scopes (delete assignment and create a new one) or exclude scopes. For ALZ, we're probably talking about sandbox, decommissioned, online, and whatever other management groups you might have. Remember, EVERYTHING under the intermediate management group will inherit those policies (so you would have to exempt those, and probably many other, scopes).

Our goal is to provide effective coverage at the scopes we expect resources to be deployed, aligned with documented guidance. It isn't perfect for everyone, and customers are encouraged to adjust according to their requirements. You are free to remove the individual scope assignments and create a higher-level assignment, you know your business better than we do, we provide the framework to build on.

If you feel that the Platform management group is easily exploited, we can review and consider adding Platform coverage for the policy initiative. Adding this policy coverage at intermediate group would cause more problems for most customers aligned with ALZ, so we're not likely to do this.

The TLS topic, not sure what you mean - I'm assuming this is something for another issue to track where TLS 1.2 should be the bare minimum configured for everything deployed in the tenant? And this should be assigned at intermediate root?

[vegazbabz]

Not sure why I put the TLS there, confused with the different tickets made - apologies for that 👎 However, point still stands that if this should apply on Corp MG, it should also apply to Platform MG. Would still prefer to use exclusions on a intermediate MG.