gen-azure-policy

Latest: v4.3.0

Release History

v4.3.0 Latest

Changes:

• Added two Azure built-in policy definitions to the gen-azure-policymodule to support private container hosting: “Container Apps environment should disable public network access” “Azure Container Instance container group should deploy into a virtual network” Policies are added with default effect Audit in the generic module. For DELA these policies are intended to be assigned with Deny in the DELA governance repository in a later change. No assignments or effect changes are activated in this PR.
• Merged PR 15308: Add policies to enhance security for Container Apps and Azure Container Insta...

v4.2.0

Changes:

• Add the option to exclude specific RG's from applying the policy.
• This is needed to skip RG's that have a system deny assignment set to them.
• Add the tag "skipInSimacMonitoring" to the specific RG with a value of one of these:
• Merged PR 14818: Add option to exclude RG's

v4.1.1

Changes:

• Policy definition to correct one (modify to audit/deny).Old:Configure your Storage account public access to be disallowedNew:Storage account public access should be disallowed
• Merged PR 14798: Update display name for storage account public access policy

v4.1.0

Changes:

• Security policy "Configure your Storage account public access to be disallowed" with default action "Deny".
• Merged PR 14730: Add policy to disallow public access to Azure Storage accounts

v4.0.5

Changes:

• ExistenceCondition checked on wrong severity value.
• Merged PR 14658: Fix typo in severity display name metadata

v4.0.4

Changes:

• ExistenceCondition checked on wrong severity value.
• Merged PR 14656: Rollback... Fixed severity on existencecondition

v4.0.3

Changes:

• Severity property needs and value that can be converted to int
• Merged PR 14626: Fix some more severities

v4.0.2

Changes:

• Severity property needs and value that can be converted to int
• Merged PR 14607: Update alert policies for consistency and clarity

v4.0.1

Changes:

• Change default values to critical/warning/informational
• Merged PR 14562: Update default severity values in alert policies to warning and critical

v4.0.0 Breaking

Changes:

• "field": "Microsoft.Insights/MetricAlerts/enabled"
• Merged PR 14543: Update field references from scheduledQueryRules to MetricAlerts in alert pol...
• Severity change from sev-x notation to simac_critical, simac_warning and simac_informational.
• This makes it clear alerts are sent to Simac and which severity it gets (and to which endpoints it is sent).

v3.9.3

Changes:

• Removed the"AFS-Deploy Alert for Firewall Health in Metrics" because the "AFS-Deploy Alert for Azure Firewall Health" checks the same metric
• Merged PR 13960: Updated afs_platform_alert_policies_custom.yml

v3.9.2

Changes:

• Corrected the metric name for the Firewall latency metric in theexistenceCondition for the following policies:
• "AFS-Deploy Alert for Azure Firewall Latency Critical"
• "AFS-Deploy Alert for Azure Firewall Health"
• Merged PR 13957: Updated afs_platform_alert_policies_custom.yml

v3.9.1

Changes:

• Corrected the metric name for the Firewall latency metric in theexistenceConditionof the "AFS-Deploy Alert for Azure Firewall Latency Warning" policy.
• Merged PR 13953: Update Firewall latency metric name in alert policy configuration

v3.9.0

Changes:

• Added CreatedBy tag to platform monitoring policies. Fixed some issues with the Firewall Alert Policies.
• Merged PR 13922: createdby tag & Firewall Alert policies

v3.8.2

Changes:

• Added Firewall Alerts:
• Throughput Latency SNAT Port Utilization Health FatFlowLog/FlowTrace
• Merged PR 13869: Add FW Alerts

v3.8.1

Changes:

• Add policy "MySQL servers should use customer-managed keys to encrypt data at rest"
• Merged PR 13642: Update MySQL encryption policy to use customer-managed keys and modify parame...

v3.8.0

Changes:

• Policies for customer managed encryption keys, default in audit mode. Azure Container Instance container group should use customer-managed key for encryption Storage accounts should use customer-managed key for encryption Table Storage should use customer-managed key for encryption App Configuration should use a customer-managed key Queue Storage should use customer-managed key for encryption SQL servers should use customer-managed keys to encrypt data at rest PostgreSQL flexible servers should use customer-managed keys to encrypt data at rest PostgreSQL servers should use customer-managed keys to encrypt data at rest SQL managed instances should use customer-managed keys to encrypt data at rest Customer managed key encryption must be used as part of CMK Encryption for Arc SQL managed instances. Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
• Merged PR 13633: Add policies for customer-managed key encryption across various Azure services

v3.7.3

Changes:

• Updated gen-azure-policy, custom governance policy 'AFS-Deploy Azure Monitoring Agent on Windows machines'.
• Parameterized Azure monitor agent type handler version: ama_type_handler_version Default is type handler version 1.0 as it used to be, default behavior remains the same
• Merged PR 13557: Updated afs_governance_policies_custom.yml

v3.7.2

Changes:

• Fixed issues with policies being not compliant after remediation.
• AFS-Deploy Alert for SQL Database High DTU Utilization
• Excluded system databases, checking for dtu metricValid WindowSize
• AFS-Deploy Alert for SQL Database Failed Connections
• Excluded system databases, fixed case in metric names
• AFS-Deploy Alert for SQL Database Entra ID Authentication Changes in Activity Logs
• Merged PR 13153: Fixed policy compliance

v3.7.1

Changes:

• Updated gen-azure-policy, custom governance policy 'AFS-Deploy Azure Monitoring Agent on Windows machines'.
• Parameterized Azure monitor agent type handler version: ama_type_handler_version Default is type handler version 1.0 as it used to be, default behavior remains the same type handler can now be adjusted as needed by updating the parameter
• Merged PR 13089: Updated policy AFS-Deploy Azure Monitoring Agent on Windows machines

v3.7.0

Changes:

• Policy to deploy Azure Service Health planned maintenance alerts for Simac managed subscriptions.
• Merged PR 12874: Add Planned maintenance alert

v3.6.0

Changes:

• The following policies are added to deploy Alert rules in monitored subscriptions:
• Deploy Alert for Delete SQL Server Firewall Rule in Activity Logs
• Deploy Alert for Create or Update SQL Firewall Rule in Activity Logs
• Deploy Alert for Create or Update Network Security Group in Activity Logs
• Deploy Alert for Create or Update Network Security Group Rules in Activity Logs
• Deploy Critical Alert for Key vault expiration keys, secrets and certificates
• Deploy Alert for SQL Database High CPU Utilization
• Deploy Alert for SQL Database High DTU Utilization
• Deploy Alert for SQL Database High Storage Utilization
• Deploy Alert for SQL Database Failed Connections
• Deploy Alert for SQL Database Delete in Activity Logs
• Deploy Alert for SQL Database Configuration Changes in Activity Logs
• Deploy Alert for SQL Database TDE Configuration Changes in Activity Logs
• All Administrative alert rules only trigger on succeeded events
• Merged PR 12729: Add policies for alert rules

v3.5.1

Changes:

• Added variable group
• Changed releasenote branch to main
• Changed PR template without skip
• Added IPMhub publish
• Merged PR 12240: IPM Hun

v3.5.0

Changes:

• Subscription filter in monitoring policies: Set the tag "includeInSimacMonitoring" to "Yes" to include the subscription in Simac Monitoring. Disk Alert Rules will now also be created for Azure Local Windows hosts. Added the option to create the Disk Alert Rules without the "SimacMonitoring" tag on a VM. If the parameter "CreateWithoutTag" is set to "true" the Disk Alert Rules will be created in Enable mode. You can disable the rules by setting the tag "SimacMonitoring" to "No" on the VM.
• Merged PR 11799: Added subscription filter to monitoring policies

v3.4.1

Changes:

• Deny cloudhsell policy description changed to more generic message.
• Merged PR 11722: Updated afs_governance_policies_custom.yml

v3.4.0

Changes:

• Policy to enforce the updateschedule tag on virtual machines. Only the options: 01, 02, 03, noupdate and no are allowed.
• Merged PR 11649: Add tag policy

v3.3.1

Changes:

• FreeSpaceinGB to FreeSpaceinMB.
• Merged PR 11597: Add existenceConditions to refresh the alert rules when parameters change.

v3.3.0

Changes:

• Fixed the bug in the v3.3.0 version that prevented the policies from being installed. And changed the following:
• Added percent free parameter to the 2 custom policies in 'afs_platform_alerts_policies_custom.yml' for disk space alerts.The free space has to be less than the GB && the % value. So there is a better control for large and small disks. The default are now: Warning policy: Less than 5GB and 2.5% free Severity 2 warning DeployIfNotExist on VM's with tag 'SimacMonitoring' = 'Yes' Critical policy: Less than 0.5GB and 0.5% free Severity 0 critical DeployIfNotExist on VM's with tag 'SimacMonitoring' = 'Yes'
• Merged PR 11592: fixes and add % parameter
• 2 custom policies in 'afs_platform_alerts_policies_custom.yml' for disk space alerts. With the following defaults: Warning policy: Less than 10GB free Severity 2 warning DeployIfNotExist on VM's with tag 'SimacMonitoring' = 'Yes' Critical policy: Less than 0.5GB free Severity 0 critical DeployIfNotExist on VM's with tag 'SimacMonitoring' = 'Yes'
• Merged PR 11558: Add Azure Alerts for Disk Space Free Warning and Critical conditions

v3.2.0

Changes:

• 'afs_platform_alert_policies_builtin.yml' with effect: 'Disabled'. Set to 'DeploylfNotExists' in 'afs_platform_alert_builtin_override.yml' for
• Merged PR 11509: Add built-in policy for Windows machine data collection association

v3.1.0

Changes:

• Added policies to the default policies set.
• Azure Databricks clusters
• Merged PR 11401: Add some policies

Back to Modules