Update Microsoft Defender for Cloud plan for Containers (#876)

* docs * Portal UXs & orchestration * policy defs and assignments * update portal MDFC naming * portal fairfax MDFC naming Co-authored-by: Matt White <matt.white@microsoft.com>
Azure · Jan 28, 2022 · 4ed462c · 4ed462c
1 parent e977b6c
commit 4ed462c
Show file tree

Hide file tree

Showing 13 changed files with 112 additions and 137 deletions.
diff --git a/docs/ESLZ-Policies.md b/docs/ESLZ-Policies.md
@@ -141,7 +141,7 @@ We work with - and learn from our customers and partners to ensure that we evolv
 |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version | State | Can optionally be assigned when deploying ESLZ | Assignment scope
 |---|---|---|---|---|---|---| 
 | Deny or Deploy and Append TLS requirements and SSL enforcement on resources without encryption in transit | Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed | append, audit, auditIfNotExists, deployIfNotExists, deny | 1.0.0 | Custom policySet | Yes, recommended | Landing Zones management group
-| Deploy Azure Security Center Configuration | Configures all the ASC settings, such as Azure Defender per individual service, security contacts, and export from ASC to Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policySet| Yes, recommended | Intermediate root Management Group
+| Deploy Azure Security Center Configuration | Configures all the ASC settings, such as Microsoft Defender for Cloud per individual service, security contacts, and export from ASC to Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policySet| Yes, recommended | Intermediate root Management Group
 | Public network access should be disabled for PaaS services | Initiative that includes multiple policyDefinitions towards PaaS services to prevent usage of public endpoints | deny, disabled | 1.0.0 | Custom policySet| Yes, recommended | Corp Management Group
 | Deploy Diagnostic Settings to Azure Services | Initiative containing all the DINE policies for diagnostics settings for individual Azure services | deployIfNotExists, disabled | 1.0.0 | Yes, recommended | Intermediate root Management Group
 | Deploy SQL Database built-in SQL security configuration | Initiative for built-in SQL security configuration, such as auditing, alert, TDE and SQL vulnerability | deployIfNotExists, disabled | 1.0.0 | Custom policySet| No | Landing Zone Management Group
@@ -163,14 +163,13 @@ We work with - and learn from our customers and partners to ensure that we evolv
 | Kubernetes cluster should not allow privileged containers | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. | deny, audit, disabled | 7.0.0 | Built-in policy | Yes, recommended | Landing Zones Management Group
 | Kubernetes clusters should be accessible only over HTTPS | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc | deny, audit, disabled | 6.0.0 | Built-in policy | Yes, recommended | Landing Zones Management Group
 | Virtual networks should be protected by Azure DDoS Protection Standard | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs. | modify, audit, disabled | 1.0.0 | Built-in policy | Yes, recommended, Adventure works | Landing Zones Management Group
-| Deploy Azure Defender for Virtual Machines | Deploys and enable Azure Defender for Virtual Machines on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy| Yes, recommended | Intermediate root Management Group | Security Center |
-| Deploy Azure Defender for Sql on Virtual Machines | Deploys and enable Azure Defender for Sql on Virtual Machines on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
-| Deploy Azure Defender for Azure Sql Databases | Deploys and enable Azure Defender for Azure Sql Databases on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
-| Deploy Azure Defender for Storage Accounts | Deploys and enable Azure Defender for Sql on Storage Accounts on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
-| Deploy Azure Defender for DNS | Deploys and enable Azure Defender for DNS on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
-| Deploy Azure Defender for ARM | Deploys and enable Azure Defender for Azure Resource Manager on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
-| Deploy Azure Defender for App Services | Deploys and enable Azure Defender for App Services on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
-| Deploy Azure Defender for AKV | Deploys and enable Azure Defender for Azure Key Vault on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
-| Deploy Azure Defender for AKS | Deploys and enable Azure Defender for Azure Kubernetes on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy| Yes, recommended | Intermediate root Management Group | Security Center |
-| Deploy Azure Defender for ACR | Deploys and enable Azure Defender for Azure Container Registries on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
-| Deploy Azure Defender for open-source relational databases | Deploys and enable Azure Defender for open-source relational databases on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
+| Deploy Microsoft Defender for Cloud for Virtual Machines | Deploys and enable Microsoft Defender for Cloud for Virtual Machines on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy| Yes, recommended | Intermediate root Management Group | Security Center |
+| Deploy Microsoft Defender for Cloud for Sql on Virtual Machines | Deploys and enable Microsoft Defender for Cloud for Sql on Virtual Machines on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
+| Deploy Microsoft Defender for Cloud for Azure Sql Databases | Deploys and enable Microsoft Defender for Cloud for Azure Sql Databases on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
+| Deploy Microsoft Defender for Cloud for Storage Accounts | Deploys and enable Microsoft Defender for Cloud for Sql on Storage Accounts on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
+| Deploy Microsoft Defender for Cloud for DNS | Deploys and enable Microsoft Defender for Cloud for DNS on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
+| Deploy Microsoft Defender for Cloud for ARM | Deploys and enable Microsoft Defender for Cloud for Azure Resource Manager on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
+| Deploy Microsoft Defender for Cloud for App Services | Deploys and enable Microsoft Defender for Cloud for App Services on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
+| Deploy Microsoft Defender for Cloud for AKV | Deploys and enable Microsoft Defender for Cloud for Azure Key Vault on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
+| Deploy Microsoft Defender for Cloud for Containers | Deploys and enable Microsoft Defender for Cloud for Containers (Kubernetes and Container Registries) on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
+| Deploy Microsoft Defender for Cloud for open-source relational databases | Deploys and enable Microsoft Defender for Cloud for open-source relational databases on the subscription | deployIfNotExists, disabled | 1.0.0 | Built-in policy | Yes, recommended | Intermediate root Management Group | Security Center |
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
@@ -49,6 +49,15 @@ Here's what's changed in Enterprise Scale:
 
 - Updated `Deny-Subnet-Without-Nsg` & `Deny-Subnet-Without-Udr` to version 2.0.0
   - Fixes scenario described in issue issue [#407](https://github.com/Azure/Enterprise-Scale/issues/407)
+- Updated `Deploy-ASCDF-Config` policy initiative with changes relating to new [Microsoft Defender for Cloud Containers plan](https://docs.microsoft.com/azure/defender-for-cloud/release-notes#microsoft-defender-for-containers-plan-released-for-general-availability-ga) as documented in issue [#874](https://github.com/Azure/Enterprise-Scale/issues/874)
+  - Updated in Public (Commercial), Fairfax (Gov) and Mooncake (China)
+  - Updated portal experiences for Public and Fairfax
+
+| Policy Definition Display Name | Policy Definition ID | Note |
+| ------- | -- | ----- |
+| [Deprecated]: Configure Azure Defender for container registries to be enabled | d3d1e68e-49d4-4b56-acff-93cef644b432 | REMOVED - Old ACR policy |
+| [Deprecated]: Configure Azure Defender for Kubernetes to be enabled | 133047bf-1369-41e3-a3be-74a11ed1395a | REMOVED - Old AKS Policy |
+| Configure Microsoft Defender for Containers to be enabled | c9ddb292-b203-4738-aead-18e2716e858f | ADDED - New grouped containers policy for the new plan |
 
 ### Other
 
@@ -74,8 +83,7 @@ Here's what's changed in Enterprise Scale:
 ### Policy
 
 - The following policy definitions for Microsoft Defender for Cloud configurations are not available as built-in in Azure China. The policy set definition will be updated as when these policy definitions are available:
-  - defenderForOssDb, defenderForSqlServerVirtualMachines, defenderForAppServices, defenderForAppServices, defenderForStorageAccounts, defenderForKubernetesService, defenderForKeyVaults, defenderForDns, defenderForArm
-  - defenderForContainerRegistry - this built-in policy has been deprecated
+  - defenderForOssDb, defenderForSqlServerVirtualMachines, defenderForAppServices, defenderForAppServices, defenderForStorageAccounts, defenderForKeyVaults, defenderForDns, defenderForArm
 
 ### November 2021
 

diff --git a/eslzArm/README-AzureChina.md b/eslzArm/README-AzureChina.md
@@ -147,6 +147,7 @@ New-AzManagementGroupDeployment -Name "$($DeploymentName)-asc-config" `
                                 -logAnalyticsResourceId "/subscriptions/$($ManagementSubscriptionId)/resourceGroups/$($eslzPrefix)-mgmt/providers/Microsoft.OperationalInsights/workspaces/$($eslzPrefix)-law" `
                                 -enableAscForServers "DeployIfNotExists" `
                                 -enableAscForSql "DeployIfNotExists" `
+                                -enableAscForContainers "DeployIfNotExists" `
                                 -emailContactAsc $SecurityContactEmailAddress `
                                 -Verbose
 

diff --git a/eslzArm/README.md b/eslzArm/README.md
@@ -178,10 +178,9 @@ New-AzManagementGroupDeployment -Name "$($DeploymentName)-asc-config" `
                                 -enableAscForSql "DeployIfNotExists" `
                                 -enableAscForAppServices "DeployIfNotExists" `
                                 -enableAscForStorage "DeployIfNotExists" `
-                                -enableAscForRegistries "DeployIfNotExists" `
+                                -enableAscForContainers "DeployIfNotExists" `
                                 -enableAscForKeyVault "DeployIfNotExists" `
                                 -enableAscForSqlOnVm "DeployIfNotExists" `
-                                -enableAscForKubernetes "DeployIfNotExists" `
                                 -enableAscForArm "DeployIfNotExists" `
                                 -enableAscForDns "DeployIfNotExists" `
                                 -enableAscForOssDb "DeployIfNotExists" `