Niclas

How to keep policies up-to-date?

4

How can I ensure that my deployed ESLZ policies are always on the latest version? Do I have to manually check each month or can it somehow be automated? For...

Built-in policies for Diagnostic Settings to Event Hub missing Event Hub name

3

#### Details of the scenario you tried and the problem that is occurring All [built-in policies](docs.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies) deploying diagnostic settings for a service to event hub is MISSING the “eventHubName” parameter....

https://github.com/Azure/azure-policy/blob/master/built-in-policies/policySetDefinitions/Kubernetes/AKS_Safeguards.json The link " https://aka.ms/aks/safeguards" in the description is broken for the policy "[Preview]: AKS Safeguards should help guide developers towards AKS recommended best practices".

Feature Request - AzOps IAM security guidance for least privilege access

9

The security concept around `AzOps` is questionable. It basically breaks with all of Microsoft's recommendations around `least privileges`. You have a single pipeline with permissions to manage more or less...

According to Microsoft policy documentation, all single policy definitions should be part of an initiative: - We recommend creating and assigning initiative definitions even for a single policy definition. For...

Feature Request - add recommendation around Encryption with customer-managed keys (CMK)

5

[Deny or Audit resources without Encryption with a customer-managed key (CMK)](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK.html) is not part of the [policy list](https://github.com/Azure/Enterprise-Scale/blob/main/docs/wiki/ALZ-Policies.md). This means it lack recommendation on the scope. Back to some of...

Feature Request - Add recommendation for 'Deny vNet peering to non-approved vNets'

4

The policy [Deny vNet peering to non-approved vNets](https://www.azadvertizer.net/azpolicyadvertizer/Deny-VNET-Peering-To-Non-Approved-VNETs.html) is (obviously) not found in list: https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies#intermediate-root hence, it has no recommendation or guideline on usage. The nearest guideline is this: https://github.com/Azure/Enterprise-Scale/wiki/Whats-new#policy-17...

Feature Request - Move Deny-PublicPaaSEndpoints to higher scope

5

Related to #1560. Consider moving “Public network access should be disabled for PaaS services" ([Deny-PublicPaaSEndpoints](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deny-PublicPaaSEndpoints.html)) from Corp MG to intermediate root group. The resources under both Platform MG should also...

[Policy]: Enforce recommended guardrails for Azure Key Vault Managed HSM

2

### Policy Definition or Initiative Initiative ### Built-in/Custom Custom ### Built-in policy definition or initiative ID ### Custom policy definition or initiative description For the organizations that use Managed HSM....

Feature Request - replace Deny-Storage-minTLS with built-in

2

Replace the ALZ policy "**Storage Account set to minimum TLS and Secure transfer should be enabled**" ([Deny-Storage-minTLS](https://www.azadvertizer.net/azpolicyadvertizer/Deny-Storage-minTLS.html)) with the 2 built-in policies: - [Storage accounts should have the specified minimum...