Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Deny-PublicPaaSEndpoints contains a policy with no deny effect

Open alperkar opened this issue 1 year ago • 4 comments

API Management should disable public network access to the service configuration endpoints policy (/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd), which is a part of Deny-PublicPaaSEndpoints initiative does not have deny effect. It should be either removed from the initiative or deny effect should be added to the built in policy.

alperkar avatar May 23 '24 12:05 alperkar

Hi @achechen, thanks again for raising you issues and concerns here! We're busy packaging the next policy refresh, which is large and contains many updates including to that particular initiative. Can I ask we review this in a week or so? If the policy doesn't have a Deny, you can override this in the assignment, as a workaround.

Springstone avatar May 23 '24 14:05 Springstone

The Policy's effect parameter has allowedValues of AuditIfNotExists and Disabled, so it can be changed in the Initiative or Assignment parameters without an override.

Trying to override an AuditIfNotExists Policy with the Deny effect should generate an error and prevent the update. Otherwise, the existenceCondition will not evaluated and all APIM resources matching the if condition would be denied!

The corresponding APIM enforcement policy below has a DeployIfNotExists effect and so it would probably be in different initiative named Deploy-:

Configure API Management services to disable access to API Management public service configuration endpoints (7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2)

Many thanks for all the excellent work.

s4parke avatar May 31 '24 18:05 s4parke

@achechen and @s4parke as part of the policy refresh just released, we have a new set of policies and initiatives that can help further secure workload specific features like for APIM (under "Workload Specific Compliance" in the portal accelerator). The DINE policy you mention above is included for API Management specifically.

We'll review if we should remove the AuditIfNotExists policy from the overall infra initiative.

Springstone avatar Jun 06 '24 10:06 Springstone

I noticed most of the latest enforcing policies don't have an AINE effect, but they still are really useful in AINE mode. For example, "Configure Defender for Cloud CSPM Plan" has parameters for all the sub-pricings.

My workaround has been to add them to a separate Initiative and either Assign with Enforcement mode=Off or not enable the SAMI roles.

The override effect in the Assignment would be sweet, but it only works if AINE is already one of the AllowedValues in the Effect Parameter for that policy definition. So it's DINE or Disabled there.

But maybe it's possible to create an Initiative Parameter called "Effect" and tell the Policy to use that instead of its own "Effect" param in the Initiative Definition. That's something to try.

Thanks for all the great work on Policy, it's the best free lunch in cloud security right now.

s4parke avatar Jun 06 '24 18:06 s4parke