├── .gitignore ├── CODE_OF_CONDUCT.md ├── LICENSE ├── README.md ├── SECURITY.md ├── stig ├── README.md ├── linux │ ├── README.md │ ├── config │ │ ├── CentOS74.mof │ │ ├── CentOS75.mof │ │ ├── CentOS76.mof │ │ ├── CentOS77.mof │ │ ├── CentOS78.mof │ │ ├── CentOS79.mof │ │ ├── RHEL72.mof │ │ ├── RHEL73.mof │ │ ├── RHEL74.mof │ │ ├── RHEL75.mof │ │ ├── RHEL77.mof │ │ ├── RHEL78.mof │ │ ├── RHEL79.mof │ │ ├── Ubuntu1804-DataScience.mof │ │ ├── Ubuntu1804.mof │ │ ├── localhost.mof │ │ └── rhel8STIG-ansible.zip │ ├── createUiDefinition.json │ ├── mainTemplate.json │ ├── rhel7STIG.sh │ ├── rhel8STIG.sh │ ├── ubuntuDsVmSTIG.sh │ └── ubuntuSTIG.sh ├── publish-to-blob.ps1 ├── publish-to-existing-vm.md ├── publish-to-shared-gallery.md ├── tools │ ├── README.md │ ├── examples │ │ └── scale-deployment-data-1.psd1 │ ├── kick-start-scaled-deployment.ps1 │ ├── publish-to-blob.ps1 │ └── scale-deployment.ps1 └── windows │ ├── GenerateStigChecklist.ps1 │ ├── InstallModules.ps1 │ ├── README.md │ ├── RequiredModules.ps1 │ ├── Windows.ps1.zip │ ├── createUiDefinition.json │ └── mainTemplate.json └── zero trust architecture blueprint ├── README.md ├── archive ├── implementation-statements │ ├── .sspassistant │ ├── README.md │ ├── ac │ │ ├── ac-02.07.md │ │ ├── ac-02.12.md │ │ ├── ac-04.md │ │ ├── ac-05.md │ │ ├── ac-06.07.md │ │ ├── ac-1.md │ │ ├── ac-17.01.md │ │ ├── ac-2.md │ │ └── ac-23.md │ ├── au │ │ ├── au-03.02.md │ │ ├── au-05.md │ │ ├── au-06.04.md │ │ ├── au-06.05.md │ │ ├── au-12.01.md │ │ └── au-12.md │ ├── cm │ │ ├── cm-07.02.md │ │ ├── cm-07.05.md │ │ └── cm-11.md │ ├── cp │ │ ├── cp-07.md │ │ └── cp-09.05.md │ ├── ia │ │ ├── ia-02.01.md │ │ ├── ia-02.02.md │ │ ├── ia-05.01.md │ │ └── ia-05.md │ ├── ir │ │ └── ir-06.02.md │ ├── ra │ │ └── ra-05.md │ ├── sc │ │ ├── sc-05.md │ │ ├── sc-07.03.md │ │ ├── sc-07.04.md │ │ ├── sc-07.md │ │ ├── sc-08.01.md │ │ └── sc-28.01.md │ └── si │ │ ├── si-02.06.md │ │ ├── si-02.md │ │ ├── si-03.01.md │ │ ├── si-03.md │ │ ├── si-04.12.md │ │ ├── si-04.18.md │ │ └── si-04.md ├── utils │ └── authoring-assistant │ │ ├── README.md │ │ └── vscode-ssp-assistant-0.0.6.vsix ├── zero-trust-architecture-offline │ ├── README.md │ ├── blueprint │ │ ├── artifacts │ │ │ ├── 05088c37-2381-4674-aa64-d3022d3839e9.json │ │ │ ├── 05af2b76-44e5-40c7-a400-2bf814c90331.json │ │ │ ├── 0d369266-ba61-408f-9224-b59407dd9219.json │ │ │ ├── 15b2256e-6e50-497e-8c7b-12908ea3bcec.json │ │ │ ├── 17932dfa-ef41-4773-bb3f-6d47ec231862.json │ │ │ ├── 2fa4484f-856a-412f-8f6b-4dbe43ece14e.json │ │ │ ├── 325a87d6-1147-4a81-a9b7-be40306f672a.json │ │ │ ├── 3bcbd39e-142f-438c-8d60-bf1e7a7a646d.json │ │ │ ├── 4e8db8db-05a3-4595-aaae-efc24c749ad6.json │ │ │ ├── 758c7b68-2444-44ef-8b96-88697b685ac0.json │ │ │ ├── 86379ec5-5137-4be8-924a-fdac61206823.json │ │ │ ├── 9f359831-fbfd-456d-ac61-7a949d067a55.json │ │ │ ├── a0601552-2ed7-439f-a2f2-104130d3a20f.json │ │ │ ├── a76b04dc-bab8-4e73-9968-be509cfa88b6.json │ │ │ ├── ad448639-d7d1-4f19-a459-02a6883d3a50.json │ │ │ ├── app-linux-vm.json │ │ │ ├── app-windows-vm.json │ │ │ ├── azure-firewall.json │ │ │ ├── bcd7c4f1-5fed-4934-8e08-f76d0779ff27.json │ │ │ ├── bfb71af3-5e93-4fef-8d82-1268fbb70867.json │ │ │ ├── e2e95399-ff59-48b9-9985-504a5eedd7af.json │ │ │ ├── jumpbox.json │ │ │ ├── keyvault.json │ │ │ ├── log-analytics.json │ │ │ ├── net.json │ │ │ ├── nsg.json │ │ │ └── security-center.json │ │ └── blueprint.json │ ├── run.config.json │ ├── run.policy.template.json │ ├── run.ps1 │ └── scripts │ │ ├── DownloadPowerShellModules.ps1 │ │ ├── RequiredModules.ps1 │ │ ├── build.ps1 │ │ ├── dependencies │ │ ├── offline │ │ │ └── apply-stigs.sh │ │ └── online │ │ │ └── apply-stigs.sh │ │ ├── source │ │ └── WindowsServer2019Workgroup │ │ │ └── WindowsServer2019Workgroup.ps1 │ │ └── upload.ps1 └── zero-trust-architecture │ ├── README.md │ └── blueprint │ ├── artifacts │ ├── 05088c37-2381-4674-aa64-d3022d3839e9.json │ ├── 05af2b76-44e5-40c7-a400-2bf814c90331.json │ ├── 0d369266-ba61-408f-9224-b59407dd9219.json │ ├── 15b2256e-6e50-497e-8c7b-12908ea3bcec.json │ ├── 17932dfa-ef41-4773-bb3f-6d47ec231862.json │ ├── 2fa4484f-856a-412f-8f6b-4dbe43ece14e.json │ ├── 325a87d6-1147-4a81-a9b7-be40306f672a.json │ ├── 3bcbd39e-142f-438c-8d60-bf1e7a7a646d.json │ ├── 4e8db8db-05a3-4595-aaae-efc24c749ad6.json │ ├── 758c7b68-2444-44ef-8b96-88697b685ac0.json │ ├── 86379ec5-5137-4be8-924a-fdac61206823.json │ ├── 939c6f4a-da98-4c2e-9d87-ba25bb8f0c23.json │ ├── 9f359831-fbfd-456d-ac61-7a949d067a55.json │ ├── a0601552-2ed7-439f-a2f2-104130d3a20f.json │ ├── a76b04dc-bab8-4e73-9968-be509cfa88b6.json │ ├── active-directory-domain-services.json │ ├── ad448639-d7d1-4f19-a459-02a6883d3a50.json │ ├── azure-firewall.json │ ├── bcd7c4f1-5fed-4934-8e08-f76d0779ff27.json │ ├── bfb71af3-5e93-4fef-8d82-1268fbb70867.json │ ├── e2e95399-ff59-48b9-9985-504a5eedd7af.json │ ├── jumpbox.json │ ├── keyvault.json │ ├── log-analytics.json │ ├── net.json │ └── nsg.json │ └── blueprint.json ├── zero-trust-architecture-offline-v2 ├── README.md ├── blueprint │ ├── artifacts │ │ ├── 05088c37-2381-4674-aa64-d3022d3839e9.json │ │ ├── 05af2b76-44e5-40c7-a400-2bf814c90331.json │ │ ├── 0d369266-ba61-408f-9224-b59407dd9219.json │ │ ├── 15b2256e-6e50-497e-8c7b-12908ea3bcec.json │ │ ├── 17932dfa-ef41-4773-bb3f-6d47ec231862.json │ │ ├── 2fa4484f-856a-412f-8f6b-4dbe43ece14e.json │ │ ├── 325a87d6-1147-4a81-a9b7-be40306f672a.json │ │ ├── 3bcbd39e-142f-438c-8d60-bf1e7a7a646d.json │ │ ├── 4e8db8db-05a3-4595-aaae-efc24c749ad6.json │ │ ├── 758c7b68-2444-44ef-8b96-88697b685ac0.json │ │ ├── 86379ec5-5137-4be8-924a-fdac61206823.json │ │ ├── 9f359831-fbfd-456d-ac61-7a949d067a55.json │ │ ├── a0601552-2ed7-439f-a2f2-104130d3a20f.json │ │ ├── a76b04dc-bab8-4e73-9968-be509cfa88b6.json │ │ ├── ad448639-d7d1-4f19-a459-02a6883d3a50.json │ │ ├── bcd7c4f1-5fed-4934-8e08-f76d0779ff27.json │ │ ├── bfb71af3-5e93-4fef-8d82-1268fbb70867.json │ │ └── e2e95399-ff59-48b9-9985-504a5eedd7af.json │ └── blueprint.json ├── run-cleanup.ps1 ├── run.config.json ├── run.policy.template.json ├── run.ps1 ├── scripts │ ├── DownloadPowerShellModules.ps1 │ ├── RequiredModules.ps1 │ ├── build.ps1 │ ├── dependencies │ │ ├── offline │ │ │ └── apply-stigs.sh │ │ └── online │ │ │ └── apply-stigs.sh │ ├── source │ │ └── WindowsServer2019Workgroup │ │ │ └── WindowsServer2019Workgroup.ps1 │ └── upload.ps1 └── src │ ├── hub-security-center.json │ ├── hub-shared-jump-box.json │ ├── hub-shared-network-firewall.json │ ├── hub-shared-network-nsg.json │ ├── hub-shared-network-vnet.json │ ├── hub-shared-security-kv.json │ ├── hub-shared-security-kv.ps1 │ ├── hub-shared-security-log.json │ ├── spoke-workload-linux-vm.json │ ├── spoke-workload-network-vnet.json │ └── spoke-workload-windows-vm.json └── zero-trust-architecture-v2 ├── README.md ├── blueprint ├── artifacts │ ├── hub-security-center.json │ ├── hub-shared-network-bastion.json │ ├── hub-shared-network-firewall.json │ ├── hub-shared-network-gateway.json │ ├── hub-shared-network-nsg.json │ ├── hub-shared-network-vnet.json │ ├── hub-shared-network-watcher.json │ ├── hub-shared-security-log.json │ └── spoke-workload-network-vnet.json └── blueprint.json └── blueprint_gov ├── artifacts ├── hub-security-center.json ├── hub-shared-network-bastion.json ├── hub-shared-network-firewall.json ├── hub-shared-network-gateway.json ├── hub-shared-network-nsg.json ├── hub-shared-network-vnet.json ├── hub-shared-network-watcher.json ├── hub-shared-security-log.json └── spoke-workload-network-vnet.json └── blueprint.json /.gitignore: -------------------------------------------------------------------------------- 1 | **/.DS_Store 2 | .vscode/ 3 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | 5 | Resources: 6 | 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Welcome to Azure's DoD DevSecOps Enterprise Open Source Solutions! 2 | 3 | # [ :warning: This library and all its artifacts are currently not actively maintained or supported. Please review the code and instructions carefully, and make any necessary additions or edits before using them. These resources are not actively contributed to or supported.] 4 | 5 | In this repository you will find DevSecOps solutions that will kickstart your path to DoD application development, authorization, and deployment. 6 | 7 | 1. [Zero Trust Architecture Blueprint](https://github.com/Azure/ato-toolkit/tree/master/zero%20trust%20architecture%20blueprint) 8 | 2. [Software Factory](https://github.com/Azure/ato-toolkit/tree/master/software%20factory) 9 | 3. [STIG](https://github.com/Azure/ato-toolkit/tree/master/stig) 10 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)) of a security vulnerability, please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd). 40 | 41 | -------------------------------------------------------------------------------- /stig/README.md: -------------------------------------------------------------------------------- 1 | # Azure STIG solution templates 2 | 3 | Welcome to the open source repository for the Azure STIG solution templates. Here you will find the source code for the STIG solution templates and other additional add-on scripts for further compliance benefits. 4 | -------------------------------------------------------------------------------- /stig/linux/README.md: -------------------------------------------------------------------------------- 1 | > **ATTENTION**: For latest and up to date documentation [please click here to be re-directed to Azure Government Documentation page.](https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-stig-linux-vm) 2 | 3 | # Deploy Azure Virtual Machine (Linux) and apply STIG 4 | 5 | [![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fato-toolkit%2Fmaster%2Fstig%2Flinux%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fato-toolkit%2Fmaster%2Fstig%2Flinux%2FcreateUiDefinition.json) 6 | [![Deploy To Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fato-toolkit%2Fmaster%2Fstig%2Flinux%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fato-toolkit%2Fmaster%2Fstig%2Flinux%2FcreateUiDefinition.json) 7 | 8 | Use this template to deploy Azure Virtual Machine with select Red Hat Enterprise Linux 7 and CentOS 7 Operating Systems. Template executes automation developed by [ComplianceAsCode](https://github.com/ComplianceAsCode/content) via [Azure Custom Scripts Extension](https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux) to apply [STIG](https://public.cyber.mil/stigs/). 9 | 10 | For add-ons to the STIG templates, see: 11 | - [Publish to Shared Gallery](https://github.com/Azure/ato-toolkit/blob/master/stig/publish-to-shared-gallery.md) 12 | - [Publish to Existing VM](https://github.com/Azure/ato-toolkit/blob/master/stig/publish-to-existing-vm.md) 13 | 14 | If you're new to Azure virtual machines, see: 15 | 16 | - [Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 17 | - [Azure Linux Virtual Machines documentation](https://docs.microsoft.com/azure/virtual-machines/linux/) 18 | - [Template reference](https://docs.microsoft.com/azure/templates/microsoft.compute/allversions) 19 | - [Quickstart templates](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Compute&pageNumber=1&sort=Popular) 20 | 21 | If you're new to template deployment, see: 22 | 23 | - [Azure Resource Manager documentation](https://docs.microsoft.com/azure/azure-resource-manager/) 24 | - [Quickstart: Create a Linux virtual machine using an ARM template](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-template) 25 | -------------------------------------------------------------------------------- /stig/linux/config/localhost.mof: -------------------------------------------------------------------------------- 1 | /* 2 | @TargetNode='localhost' 3 | @GeneratedBy=Microsoft 4 | @GenerationDate=03/09/2023 13:59:47 5 | @GenerationHost=Microsoft 6 | */ 7 | 8 | instance of MSFT_nxScriptResource as $MSFT_nxScriptResource1ref 9 | { 10 | ResourceID = "[nxScript]EmptyDsc"; 11 | GetScript = "#!/bin/bash\necho emptyGet"; 12 | TestScript = "#!/bin/bash\nexit 0"; 13 | SourceInfo = "D:\\build-linux-config.ps1::93::9::nxScript"; 14 | SetScript = "#!/bin/bash\necho emptySet"; 15 | ModuleName = "nx"; 16 | ModuleVersion = "1.0"; 17 | 18 | ConfigurationName = "LinuxBaseLine"; 19 | 20 | }; 21 | instance of OMI_ConfigurationDocument 22 | 23 | 24 | { 25 | Version="2.0.0"; 26 | 27 | 28 | MinimumCompatibleVersion = "1.0.0"; 29 | 30 | 31 | CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"}; 32 | 33 | 34 | Author="Microsoft"; 35 | 36 | 37 | GenerationDate="03/09/2023 13:59:47"; 38 | 39 | 40 | GenerationHost="Microsoft"; 41 | 42 | 43 | Name="LinuxBaseLine"; 44 | 45 | 46 | }; 47 | -------------------------------------------------------------------------------- /stig/linux/config/rhel8STIG-ansible.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ato-toolkit/64545620d82480c2e17d1e80b8938591338623c1/stig/linux/config/rhel8STIG-ansible.zip -------------------------------------------------------------------------------- /stig/publish-to-blob.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | This script publishes templates and associated scripts into your Azure Storage account, and generates Azure Portal link for deployment. 3 | Replace variables with your environment details. 4 | #> 5 | 6 | Param( 7 | [string] 8 | [Parameter(Mandatory = $true)] 9 | $resourceGroupName, 10 | 11 | [string] 12 | [Parameter(Mandatory = $true)] 13 | $storageAccountName, 14 | 15 | [string] 16 | [Parameter(Mandatory = $false)] 17 | $containerName = "artifacts", 18 | 19 | [string] 20 | [Parameter(Mandatory = $true)] 21 | [Validateset("windows","linux")] 22 | $osSelection 23 | ) 24 | 25 | $ErrorActionPreference = "Stop" 26 | 27 | $context = (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).Context 28 | 29 | if (-not(Get-AzStorageContainer -Context $context -Prefix $containerName)) { 30 | New-AzStorageContainer -Context $context -Name $containerName -Permission Off 31 | } 32 | 33 | $osPath = '.\{0}' -f $osSelection 34 | 35 | Get-ChildItem -Path $osPath -Exclude "publish-to-blob.ps1","*.md" -File -Recurse | Set-AzStorageBlobContent -Context $context -Container $containerName -Force 36 | 37 | $sasToken = New-AzStorageContainerSASToken -Context $context -Name $containerName -Permission rwdl 38 | 39 | $portalUrl = "https://portal.azure.com" 40 | if ((Get-AzContext).Environment.Name -eq "AzureUSGovernment") { 41 | $portalUrl = "https://portal.azure.us" 42 | } 43 | 44 | if ($osSelection -eq "windows") 45 | { 46 | $mainTemplateWinUrl = (Get-AzStorageBlob -Context $context -Container $containerName -Blob "mainTemplate.json").ICloudBlob.Uri.AbsoluteUri + $sasToken 47 | $createUIDefWinUrl = (Get-AzStorageBlob -Context $context -Container $containerName -Blob "createUiDefinition.json").ICloudBlob.Uri.AbsoluteUri + $sasToken 48 | 49 | $win = "/#create/Microsoft.Template/uri/$([uri]::EscapeDataString($mainTemplateWinUrl))/createUIDefinitionUri/$([uri]::EscapeDataString($createUIDefWinUrl))" 50 | 51 | Write-Host "Windows: $($portalUrl)$($win)" 52 | } 53 | 54 | if ($osSelection -eq "linux") 55 | { 56 | $mainTemplateLinUrl = (Get-AzStorageBlob -Context $context -Container $containerName -Blob "mainTemplate.json").ICloudBlob.Uri.AbsoluteUri + $sasToken 57 | $createUIDefLinUrl = (Get-AzStorageBlob -Context $context -Container $containerName -Blob "createUiDefinition.json").ICloudBlob.Uri.AbsoluteUri + $sasToken 58 | 59 | $lin = "/#create/Microsoft.Template/uri/$([uri]::EscapeDataString($mainTemplateLinUrl))/createUIDefinitionUri/$([uri]::EscapeDataString($createUIDefLinUrl))" 60 | 61 | Write-Host "Linux: $($portalUrl)$($lin)" 62 | } 63 | -------------------------------------------------------------------------------- /stig/publish-to-existing-vm.md: -------------------------------------------------------------------------------- 1 | # Publish to Shared Gallery Instructions 2 | 3 | The following script was created to enable the usage of the STIG templates on an existing VM. This script should not be used in a production environment. 4 | 5 | # Notes 6 | The script is dependent on first running publish-to-blob.ps1, to ensure all of the template files are available for automation. 7 | 8 | 9 | ```Powershell 10 | 11 | <# 12 | .SYNOPSIS 13 | This script is designed deploy a the STIG configuration to an existing Server 2016 or Server 2019 instance. 14 | 15 | .DESCRIPTION 16 | This script is designed to apply the following STIG configurations to Server 2019 or Server 2016 17 | 18 | WindowsServerStig (2016\2019) 19 | Internet Explorer 11 20 | DotnetFramework 21 | WindowsDefender 22 | WindowsFirewall 23 | 24 | .PARAMETER ResourceGroupName 25 | Specifies the Resource group to deploy all resources in this script. 26 | 27 | .PARAMETER VmName 28 | Specifies the name of the host Virtual machine to snapshot. 29 | 30 | .PARAMETER StorageAccountName 31 | Specifies the name the storage account created with "publish-to-blob.ps1" 32 | 33 | .PARAMETER ContainerName 34 | Specifies the name the container name created with "publish-to-blob.ps1" 35 | 36 | .NOTES 37 | This script is meant for use in a development environment 38 | This script is included to assist applying STIG to a single Server 2016 or Server 2019 VM 39 | *****You must run publish-to-blob.ps1 to move the essential files to blob storage***** 40 | 41 | .EXAMPLE 42 | .\push-to-existing-vm.ps1 -ResourceGroupName "TestRG" -VmName "TestVM" -StorageAccountName "Windows" 43 | #> 44 | [CmdletBinding()] 45 | param 46 | ( 47 | [Parameter(Mandatory = $true)] 48 | [string] 49 | $ResourceGroupName, 50 | 51 | [Parameter(Mandatory = $true)] 52 | [string] 53 | $VmName, 54 | 55 | [Parameter(Mandatory = $true)] 56 | [string] 57 | $StorageAccountName, 58 | 59 | [Parameter(Mandatory = $true)] 60 | [string] 61 | $ContainerName 62 | ) 63 | 64 | # Custom script extension files 65 | $requiredModulesFile = "RequiredModules.ps1" 66 | $installPSModulesFile = "InstallModules.ps1" 67 | $generateStigChecklist = "GenerateStigChecklist.ps1" 68 | 69 | # Get VM details 70 | $vm = Get-AzVM -Name $vmName 71 | if($null -eq $vm) 72 | { 73 | Write-Host "Invalid VM name" 74 | Break 75 | } 76 | 77 | # Get storage account details 78 | $context = (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).Context 79 | if($null -eq $vm) 80 | { 81 | Write-Host "Invalid storage account name, please run publish-to-blob.ps1 to ensure dependencies are in cloud storage" 82 | Break 83 | } 84 | 85 | # Generate SAS tokens and Urls for files 86 | $sasToken = New-AzStorageContainerSASToken -Context $context -Name $containerName -Permission rwdl 87 | if($null -eq $vm) 88 | { 89 | Write-Host "Invalid container name, please run publish-to-blob.ps1 to ensure dependencies are in cloud storage" 90 | Break 91 | } 92 | $requiredModulesFileUrl = (Get-AzStorageBlob -Context $context -Container $containerName -Blob $requiredModulesFile).ICloudBlob.Uri.AbsoluteUri + $sasToken 93 | $installPSModulesFileUrl = (Get-AzStorageBlob -Context $context -Container $containerName -Blob $installPSModulesFile).ICloudBlob.Uri.AbsoluteUri + $sasToken 94 | $generateStigChecklistUrl = (Get-AzStorageBlob -Context $context -Container $containerName -Blob $generateStigChecklist).ICloudBlob.Uri.AbsoluteUri + $sasToken 95 | 96 | # CustomScript Extension install modules 97 | $fileUriGroup = @($requiredModulesFileUrl,$installPSModulesFileUrl,$generateStigChecklistUrl) 98 | Set-AzVMCustomScriptExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -Name "install-powershell-modules" -FileUri $fileUriGroup -Run "$installPSModulesFile -autoInstallDependencies $true" -Location $vm.Location 99 | 100 | # DSC extension Apply configuration 101 | Set-AzVMDscExtension -ResourceGroupName $vm.ResourceGroupName -VMName $vm.Name -ArchiveBlobName "WindowsServer.ps1.zip" -ArchiveStorageAccountName $storageAccountName -ArchiveContainerName $containerName -ConfigurationName "WindowsServer" -Version "2.77" -Location $vm.Location 102 | ``` -------------------------------------------------------------------------------- /stig/windows/InstallModules.ps1: -------------------------------------------------------------------------------- 1 | Param( 2 | [string] 3 | [Parameter(Mandatory = $false)] 4 | $autoInstallDependencies = $false 5 | ) 6 | 7 | $osVersion = (Get-WmiObject Win32_OperatingSystem).Caption 8 | 9 | if($osVersion -Match "Windows 10") 10 | { 11 | winrm quickconfig -quiet 12 | 13 | # winrm settings require NIC to be not Public 14 | $networkName = (Get-NetConnectionProfile)[0].Name 15 | Set-NetConnectionProfile -Name $networkName -NetworkCategory Private 16 | 17 | } 18 | 19 | if ($autoInstallDependencies -eq $true) { 20 | . "$PSScriptRoot\RequiredModules.ps1" 21 | 22 | # Added to support package provider download on Server 2016 23 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 24 | 25 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force 26 | 27 | $requiredModules = Get-RequiredModules 28 | 29 | # Install the required modules 30 | foreach ($requiredModule in $requiredModules) { 31 | Install-Module -Name $requiredModule.ModuleName -RequiredVersion $requiredModule.ModuleVersion -Force 32 | } 33 | } 34 | 35 | # Increase the MaxEnvelope Size 36 | Set-Item -Path WSMan:\localhost\MaxEnvelopeSizekb -Value 8192 37 | 38 | # Set Local Admin account password expires True (V-205658) 39 | $localAdmin = Get-LocalUser | Where-Object Description -eq "Built-in account for administering the computer/domain" 40 | Set-LocalUser -name $localAdmin.Name -PasswordNeverExpires $false -------------------------------------------------------------------------------- /stig/windows/README.md: -------------------------------------------------------------------------------- 1 | > **ATTENTION**: For latest and up to date documentation [please click here to be re-directed to Azure Government Documentation page.](https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-stig-windows-vm) 2 | 3 | # Deploy Azure Virtual Machine (Windows) and apply STIG 4 | 5 | [![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fato-toolkit%2Fmaster%2Fstig%2Fwindows%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fato-toolkit%2Fmaster%2Fstig%2Fwindows%2FcreateUiDefinition.json) 6 | [![Deploy To Azure Gov](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.svg?sanitize=true)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fato-toolkit%2Fmaster%2Fstig%2Fwindows%2FmainTemplate.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fato-toolkit%2Fmaster%2Fstig%2Fwindows%2FcreateUiDefinition.json) 7 | 8 | Use this template to deploy Azure Virtual Machine with select Windows 2019 Operating Systems. Template executes automation provided by [PowerSTIG](https://github.com/microsoft/PowerStig) via [Azure Custom Scripts Extension](https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows) to apply [STIG](https://public.cyber.mil/stigs/). 9 | 10 | For add-ons to the STIG templates, see: 11 | - [Publish to Shared Gallery](https://github.com/Azure/ato-toolkit/blob/master/stig/publish-to-shared-gallery.md) 12 | - [Publish to Existing VM](https://github.com/Azure/ato-toolkit/blob/master/stig/publish-to-existing-vm.md) 13 | 14 | If you're new to Azure virtual machines, see: 15 | 16 | - [Azure Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) 17 | - [Azure Windows Virtual Machines documentation](https://docs.microsoft.com/azure/virtual-machines/windows/) 18 | - [Template reference](https://docs.microsoft.com/azure/templates/microsoft.compute/allversions) 19 | - [Quickstart templates](https://azure.microsoft.com/resources/templates/?resourceType=Microsoft.Compute&pageNumber=1&sort=Popular) 20 | 21 | If you're new to template deployment, see: 22 | 23 | - [Azure Resource Manager documentation](https://docs.microsoft.com/azure/azure-resource-manager/) 24 | - [Quickstart: Create a Windows virtual machine using an ARM template](https://docs.microsoft.com/azure/virtual-machines/windows/quick-create-template) 25 | -------------------------------------------------------------------------------- /stig/windows/RequiredModules.ps1: -------------------------------------------------------------------------------- 1 | function Get-RequiredModules { 2 | return @( 3 | @{ModuleName = 'AuditPolicyDsc'; ModuleVersion = '1.4.0.0' }, 4 | @{ModuleName = 'AuditSystemDsc'; ModuleVersion = '1.1.0' }, 5 | @{ModuleName = 'AccessControlDsc'; ModuleVersion = '1.4.1' }, 6 | @{ModuleName = 'CertificateDsc'; ModuleVersion = '5.0.0'}, 7 | @{ModuleName = 'ComputerManagementDsc'; ModuleVersion = '8.4.0' }, 8 | @{ModuleName = 'FileContentDsc'; ModuleVersion = '1.3.0.151' }, 9 | @{ModuleName = 'GPRegistryPolicyDsc'; ModuleVersion = '1.2.0' }, 10 | @{ModuleName = 'nx'; ModuleVersion = '1.0'} 11 | @{ModuleName = 'PSDscResources'; ModuleVersion = '2.12.0.0' }, 12 | @{ModuleName = 'SecurityPolicyDsc'; ModuleVersion = '2.10.0.0' }, 13 | @{ModuleName = 'SqlServerDsc'; ModuleVersion = '13.3.0' }, 14 | @{ModuleName = 'WindowsDefenderDsc'; ModuleVersion = '2.1.0' }, 15 | @{ModuleName = 'xDnsServer'; ModuleVersion = '1.16.0.0' }, 16 | @{ModuleName = 'xWebAdministration'; ModuleVersion = '3.2.0' }, 17 | @{ModuleName = 'PowerSTIG'; ModuleVersion = '4.16.0' } 18 | ) 19 | } 20 | -------------------------------------------------------------------------------- /stig/windows/Windows.ps1.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ato-toolkit/64545620d82480c2e17d1e80b8938591338623c1/stig/windows/Windows.ps1.zip -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/.sspassistant: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ato-toolkit/64545620d82480c2e17d1e80b8938591338623c1/zero trust architecture blueprint/archive/implementation-statements/.sspassistant -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/README.md: -------------------------------------------------------------------------------- 1 | # Instructions 2 | 3 | > [!IMPORTANT] 4 | > Microsoft Azure and Microsoft Azure Government cloud services meets requirements of the US Federal Risk & Authorization Management Program (FedRAMP) and of the US Department of Defense, from information impact levels 2 through 5. More information on Azure compliance can be found [here](https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-home?view=o365-worldwide). The current list of in-scope cloud services across Azure and Azure Government for FedRAMP and DoD CC SRG compliance offerings can be found [here](https://docs.microsoft.com/en-us/azure/azure-government/compliance/azure-services-in-fedramp-auditscope). 5 | > 6 | > [!IMPORTANT] 7 | > Customers should use these 'implementation-statements' as a starting point to populate their System Security Plans (SSP) and other relevant compliance documentation. However, Customer responsibility statements are guiding principles for customers and their 3PAOs (compliance assessors) and should be used as reference points for implementations statements and overall responsibilities. Microsoft provides general guidance on responsibilities and pre-populates, to the extent feasible, implementation statements based on Azure services in scope. Customer configurations can vary due to the scope of their implementation. Please evaluate all statements before final SSP incorporation. 8 | > 9 | > [!IMPORTANT] 10 | > Disclaimer: Customers are wholly responsible for ensuring their own compliance with all applicable laws and regulations. Information provided in this post does not constitute legal advice, and customers should consult their legal advisors for any questions regarding legal or regulatory compliance. 11 | 12 | 1. Clone current directory and all its sub-directories and files. 13 | * Optionally, use VSCode extension for assistance with authoring and managing 'implementation-statements' in markdowns. 14 | 2. Replace all instance of "Org." with your organization name in all the markdown files. 15 | 3. Update "Implementation Status" and "Control Origination" sections with applicable selections for your cloud service. 16 | 4. "Org. Shared Responsibilities Guidance" is set of instructions for you to implement your cloud service specific responsibilities 17 | * After implementation, remove this section from document before producing final SSP. 18 | 5. Review, replace placeholders (marked by TODO: and otherwise) and fill out additional details as applicable in "Implementation Statement" section for each control and their applicable subparts. 19 | 6. Fill our details of any planned controls in "Org. Planned Controls" section or remove the section before finalizing SSP. 20 | 7. "Org.'s Customer Responsibility" section is for you to describe responsibilities that customers of your cloud service need to implement. Fill out the details as applicable or remove the section before finalizing SSP. 21 | 22 | ## Feedback 23 | 24 | For more information, questions, or feedback please [contact us](https://aka.ms/zerotrust-blueprint-feedback). 25 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/ac/ac-02.12.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: AC-02(12) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization: 30 | 31 | (a) Monitors information system accounts for [Assignment: organization-defined atypical usage]; and 32 | 33 | (b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]. 34 | 35 | ### Org. Shared Responsibilities Guidance 36 | 37 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 38 | 39 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 40 | 41 | 1. Defining atypical usage for the Org. environment (AC-02(12).a) 42 | 2. Selecting monitoring mechanisms to monitor for atypical usage (AC-02(12).a) 43 | 3. Monitoring Org.-controlled accounts for atypical usage (AC-02(12).a) 44 | 4. Reporting atypical behavior of Org.-controlled accounts to the ISSO (or equivalent role) (AC-02(12).b) 45 | 46 | Org. should clearly document in the section below how it implements controls requirements. 47 | 48 | ## Part a 49 | 50 | ### Implementation Statement 51 | 52 | Org. is responsible for monitoring Org.-controlled accounts for atypical usage. 53 | 54 | Org. implements ______________________________________________________. 55 | 56 | TODO: Optional placeholder for non Azure, OSS or custom implementations 57 | 58 | Org. implements various Azure services to meet this control requirement such as _________________. 59 | 60 | Just-In-Time (JIT) virtual machine access is used to lock down inbound traffic to Azure virtual machines, reducing exposure to attacks while providing easy access to connect to VMs when needed. All JIT requests to access virtual machines are logged in the Activity Log allowing monitoring for atypical usage. JIT network access control is applied on virtual machines. Azure AD Activity and activity from the PIM module are reviewed using the Azure Portal. 61 | 62 | In addition, Org. leverages the Azure Policy to implement the OMS Security and Audit Solutions Identity and Access Dashboard to enable account managers to monitor the use of information system accounts and access attempts against deployed resources. 63 | 64 | ### Org. Planned Controls 65 | 66 | TODO: Fill this out as needed or remove the section 67 | 68 | ### Org.'s Customer Responsibility 69 | 70 | TODO: Fill this out as needed or remove the section 71 | 72 | ## Part b 73 | 74 | ### Implementation Statement 75 | 76 | Org. is responsible for reporting of atypical behavior of Org.-controlled information system accounts to the ISSO (or other equivalent role). 77 | 78 | Org. implements ______________________________________________________. 79 | 80 | TODO: Optional placeholder for non Azure, OSS or custom implementations 81 | 82 | Org. implements various Azure services to meet this control requirement such as _________________. 83 | 84 | Org. leverages Azure Policy to implement the OMS Security and Audit solution's Identity and Access dashboard. This dashboard enables account managers to monitor access attempts against deployed resources. This solution is configured to send alerts to the ISSO (or equivalent role) when atypical activity is suspected or other predefined events occur. In addition, Azure AD Activity and activity from the PIM module are reviewed using the Azure Portal and also reported if Org.-defined atypical behavior is observed. 85 | 86 | ### Org. Planned Controls 87 | 88 | TODO: Fill this out as needed or remove the section 89 | 90 | ### Org.'s Customer Responsibility 91 | 92 | TODO: Fill this out as needed or remove the section 93 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/ac/ac-04.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: AC-04 FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Defining Information Flow enforcement policies and procedures 38 | 2. Controlling the flow of information within Org.-deployed resources and between interconnected systems. 39 | 3. Selecting information flow enforcement mechanisms to control information flow within Org.-deployed resources and between interconnected systems. 40 | 41 | Org. should clearly document in the section below how it implements controls requirements. 42 | 43 | ### Implementation Statement 44 | 45 | Org. is responsible for enforcing approved authorizations for controlling the flow of information within the system and between interconnected systems. 46 | 47 | Org. implements ______________________________________________________. 48 | 49 | TODO: Optional placeholder for non Azure, OSS or custom implementations 50 | 51 | Org. implements various Azure services to meet this control requirement such as _________________. 52 | 53 | Org. leverages Azure Policy to enforce information flow restrictions, through the use of network security groups applied to the subnets in which resources are deployed. Network security groups ensure that information flow is controlled between resources based on approved rules. Cross origin resource sharing (CORS) allow App Services resources to be requested from an outside domain. The Policy assigns an Azure Policy definition to help monitor CORS resources access restrictions in Azure Security Center. CORS implementations verify that information flow controls are implemented. 54 | 55 | ### Org. Planned Controls 56 | 57 | TODO: Fill this out as needed or remove the section 58 | 59 | ### Org.'s Customer Responsibility 60 | 61 | TODO: Fill this out as needed or remove the section 62 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/ac/ac-06.07.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: Ac-06(07) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization: 30 | 31 | (a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and 32 | 33 | (b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. 34 | 35 | ### Org. Shared Responsibilities Guidance 36 | 37 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 38 | 39 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 40 | 41 | 1. Defining all Org.-controlled accounts in accordance with AC-2 (AC-06(07).a) 42 | 2. Reviewing user privileges of Org.-controlled accounts to validate the need for such privileges. (AC-06(07).a) 43 | 3. Reassigning or removing privileges assigned to Org.-defined roles, if necessary, to correctly reflect the organizational mission/business needs. (AC-06(07).b) 44 | 45 | Org. should clearly document in the section below how it implements controls requirements. 46 | 47 | ## Part a 48 | 49 | ### Implementation Statement 50 | 51 | Org. is responsible for reviewing user privileges of Org.-controlled accounts to validate the need for such privileges. 52 | 53 | Org. implements ______________________________________________________. 54 | 55 | TODO: Optional placeholder for non Azure, OSS or custom implementations 56 | 57 | Org. implements various Azure services to meet this control requirement such as _________________. 58 | 59 | Org. leverages Azure services to review account privileges for class of users and roles in AAD and Security Groups. Information system privileges are organized into roles using Role-based Access Control (RBAC) using AAD, AD Security Groups and Privileged Identity Management (PIM). Each privileged user is assigned roles within their service team that correspond to a Security Group. Each security group is assigned permissions to correlating environments with appropriate access to properly fulfill their tasks. Org. Administrators review access to Azure resources and assign Azure Policy definitions to audit the use of custom RBAC roles. The Policy allows for creation of environment designs that deploy Azure resources from Resource Manager templates, configure RBAC, and enforce and audit configuration. Org. Administrators enforce Azure policy across all Azure resources. 60 | 61 | Leveraging Azure Policy, Administrators can review who has access to Azure resources and their permissions; thus being able to disable/revoke privileges as needed (See AC-2 and AC-2 (7) for more details). 62 | 63 | ### Org. Planned Controls 64 | 65 | TODO: Fill this out as needed or remove the section 66 | 67 | ### Org.'s Customer Responsibility 68 | 69 | TODO: Fill this out as needed or remove the section 70 | 71 | ## Part b 72 | 73 | ### Implementation Statement 74 | 75 | Org. is responsible for reassigning or removing privileges for Org.-controlled accounts when appropriate. 76 | 77 | Org. implements ______________________________________________________. 78 | 79 | TODO: Optional placeholder for non Azure, OSS or custom implementations 80 | 81 | Org. implements various Azure services to meet this control requirement such as _________________. 82 | 83 | Org. leverages AAD to reassign privileges for role assignments when those assignments are no longer appropriate. Leveraging Azure Policy, Administrators can review who has access to Azure resources and their permissions, thus being able to disable/revoke privileges for the roles as needed (See AC-2 and AC-2 (7) for more details). 84 | 85 | ### Org. Planned Controls 86 | 87 | TODO: Fill this out as needed or remove the section 88 | 89 | ### Org.'s Customer Responsibility 90 | 91 | TODO: Fill this out as needed or remove the section 92 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/ac/ac-1.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: AC-01 FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization: 30 | 31 | a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 32 | 33 | 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 34 | 35 | 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and 36 | 37 | b. Reviews and updates the current: 38 | 39 | 1. Access control policy [Assignment: organization-defined frequency]; and 40 | 41 | 2. Access control procedures [Assignment: organization-defined frequency]. 42 | 43 | ### Org. Shared Responsibilities Guidance 44 | 45 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 46 | 47 | Org. should clearly document in the section below how it implements controls requirements. 48 | 49 | ## Part a 50 | 51 | ### Implementation Statement 52 | 53 | Org. has formal Access Control policies for the information system as documented in the Org. Policies and Procedures – Access Control document. 54 | 55 | Org. has developed procedures to facilitate the implementation of the Access Control policy and associated controls as documented in the Org. Policies and Procedures – Access Control document. 56 | 57 | The policies and procedures are stored on [storage location](TODO: Place the url) and made available to all personnel who require access to the documents. 58 | 59 | ## Part b 60 | 61 | ### Implementation Statement 62 | 63 | Org. reviews and updates the Org. Access Control policy at least annually or when a significant change occurs. Org. also reviews and updates the Org. Access Control procedures on at least an annual basis or whenever there is a significant change. 64 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/ac/ac-17.01.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: AC-17(01) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system monitors and controls remote access methods. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Monitoring and Controlling remote access methods for Org.-deployed resources 38 | 2. Disconnecting malicious remote access sessions when detected 39 | 40 | Org. should clearly document in the section below how it implements controls requirements. 41 | 42 | ### Implementation Statement 43 | 44 | Org. monitors and controls remote access methods for Org.-deployed resources. 45 | 46 | Org. implements ______________________________________________________. 47 | 48 | TODO: Optional placeholder for non Azure, OSS or custom implementations 49 | 50 | Org. implements various Azure services to meet this control requirement such as _________________. 51 | 52 | Access methods are controlled by groups defined in Azure Active Directory, Privileged Identity Management (PIM), and network boundary protection mechanisms (Security groups, network ACLs and routing rules). Actions performed while connected remotely are captured in audit logs, with these events being sent through to the centralized logging repository and associated audit and analysis tools. These audit logs are available to the appropriate teams for review and triage in the event of an incident. 53 | 54 | In addition, Org. leverages Azure Policy to monitor that remote debugging for Azure App Service application is turned off and audit Linux virtual machines that allow remote connections from accounts without passwords. This Policy also assigns an Azure Policy definition that helps monitor unrestricted access to storage accounts. By monitoring these indicators, Org. is able to confirm remote access methods comply with security policy. 55 | 56 | ### Org. Planned Controls 57 | 58 | TODO: Fill this out as needed or remove the section 59 | 60 | ### Org.'s Customer Responsibility 61 | 62 | TODO: Fill this out as needed or remove the section 63 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/ac/ac-23.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: AC-23 FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Defining and selecting Data Mining prevention and detection techniques 38 | 2. Adequately detecting and protecting against data mining using selected techniques 39 | 40 | Org. should clearly document in the section below how it implements controls requirements. 41 | 42 | ### Implementation Statement 43 | 44 | Org. implements ______________________________________________________. 45 | 46 | TODO: Optional placeholder for non Azure, OSS or custom implementations 47 | 48 | Org. implements various Azure services to meet this control requirement such as _________________. 49 | 50 | Org. leverages Azure Policy definitions to help ensure data security notifications are properly enabled. In addition, the Policy ensures that auditing and advanced data security are configured on SQL Servers, including Advanced data security being enabled on SQL servers and on SQL managed instances. Azure policy also ensures that Advanced Threat Protection types are set to 'All' in SQL server Advanced Data Security settings and SQL managed instance Advanced Data Security settings. The Policy further ensures that auditing is enabled on advanced data security settings on SQL Server, email notifications to admins and subscription owners are enabled in SQL server advanced data security settings, and in SQL managed instance advanced data security settings. The policy is used to assign an email address to receive security alerts for both SQL servers and managed instances. 51 | 52 | ### Org. Planned Controls 53 | 54 | TODO: Fill this out as needed or remove the section 55 | 56 | ### Org.'s Customer Responsibility 57 | 58 | TODO: Fill this out as needed or remove the section 59 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/au/au-03.02.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: AU-03(02) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components]. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Selecting a centralized management and configuration tool audit logs 38 | 2. Identifying system components that generate audit records 39 | 3. Deploying the selected tool for implementing centralized management and configuration of the content to be captured in audit records of Org.-deployed resources. 40 | 41 | Org. should clearly document in the section below how it implements controls requirements. 42 | 43 | ### Implementation Statement 44 | 45 | Org. is responsible for implementing centralized management and configuration of the content to be captured in audit records of Org.-deployed resources. 46 | 47 | Org. implements ______________________________________________________. 48 | 49 | TODO: Optional placeholder for non Azure, OSS or custom implementations 50 | 51 | Org. implements various Azure services to meet this control requirement such as _________________. 52 | 53 | For Infrastructure (and OS) pieces, Org. leverages Azure Monitor and Log Analytics. Azure Log data is collected by Azure Monitor and stored in a Log Analytics workspace enabling centralized configuration and management. The Azure Policy confirms events are logged by assigning Azure Policy definitions that audit and enforce deployment of the Log Analytics agent on Azure virtual machines. The Azure policy also audits and deploys Log Analytics Agents on VM Image (OS), VMSS, Linux VM Scale Sets (VMSS), Linux VMs, Windows VM Scale Sets (VMSS), and Windows VMs. 54 | 55 | ### Org. Planned Controls 56 | 57 | TODO: Fill this out as needed or remove the section 58 | 59 | ### Org.'s Customer Responsibility 60 | 61 | TODO: Fill this out as needed or remove the section 62 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/au/au-05.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: AU-05 FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system: 30 | 31 | a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and 32 | 33 | b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. 34 | 35 | ### Org. Shared Responsibilities Guidance 36 | 37 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 38 | 39 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 40 | 41 | 1. Identifying events that characterize audit processing failures (ex. storage quota is reached, audit hardware/software issues) 42 | 2. Providing alerts in case of audit processing failures across the information system 43 | 3. Alerting Org.-defined personnel in case of audit processing failures 44 | 4. Identifying and taking actions when audit processing failures occur on Org.-deployed resources. 45 | 46 | Org. should clearly document in the section below how it implements controls requirements. 47 | 48 | ## Part a 49 | 50 | ### Implementation Statement 51 | 52 | Org. is responsible for providing alerts in response to audit processing failures (e.g., storage quota is reached, audit hardware/software errors) of Org.-deployed resources to the ISSO (or equivalent) and the Security Contols Assessor (SCA). 53 | 54 | Org. implements ______________________________________________________. 55 | 56 | TODO: Optional placeholder for non Azure, OSS or custom implementations 57 | 58 | Org. implements various Azure services to meet this control requirement such as _________________. 59 | 60 | Org. leverages Azure Policy definitions that monitor audit and event logging configurations. The Azure Policy ensures that auditing is enabled on advanced data security settings on SQL Server, and advanced data security is enabled on managed instances and on SQL servers. Monitoring these configurations provides an indicator of an audit system failure or misconfiguration and helps take corrective actions. 61 | 62 | All audit records generated by resources deployed by this Policy are collected by Log Analytics and retained for a period of one year. The storage allocation for this audit record storage is dynamically allocated ensuring sufficient capacity is available. 63 | 64 | ### Org. Planned Controls 65 | 66 | TODO: Fill this out as needed or remove the section 67 | 68 | ### Org.'s Customer Responsibility 69 | 70 | TODO: Fill this out as needed or remove the section 71 | 72 | ## Part b 73 | 74 | ### Implementation Statement 75 | 76 | Org. is responsible for taking actions when audit processing failures occur for Org.-deployed resources. 77 | 78 | Org. implements ______________________________________________________. 79 | 80 | TODO: Optional placeholder for non Azure, OSS or custom implementations 81 | 82 | Org. implements various Azure services to meet this control requirement such as _________________. 83 | 84 | ### Org. Planned Controls 85 | 86 | TODO: Fill this out as needed or remove the section 87 | 88 | ### Org.'s Customer Responsibility 89 | 90 | TODO: Fill this out as needed or remove the section 91 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/au/au-06.04.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: AU-06(04) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system provides the capability to centrally review and analyze audit records from multiple components within the system. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Collection and configuration of all audit records for Org. managed resources; 38 | 2. Implementation of Azure Policies or Org. technical mechanisms to centrally collect audit records; 39 | 3. Aggregation, configuration and review of any audit records that not integrated or collected by underlying Azure services. 40 | 41 | Org. should clearly document in the section below how it implements controls requirements. 42 | 43 | ## Implementation Statement 44 | 45 | Org. provides the capability to centrally review and analyze audit records collected from Org.-deployed resources (to include applications, operating systems, databases, and software). 46 | 47 | Org. leverages Azure infrastructure capabilities to collect audit records from underlying sources of audit records. Org. also manages resources that are configured and operating independent of the underlying Azure services. Org. produces the customer audit records which are generated and to centrally review and analyze by the following mechanisms: 48 | 49 | Org. implements ______________________________________________________. 50 | 51 | TODO: Optional placeholder for non Azure, OSS or custom implementations 52 | 53 | Org. implements various Azure services to meet this control requirement such as _________________. 54 | 55 | Org. enables Azure policies that configure collection of Azure Log data by Azure Monitor and stores data in Log Analytics workspace enabling centralized configuration and management. Azure Policies utilize OMS Agents installed on Virtual infrastructure to enable this solution. 56 | 57 | Org. utilizes Azure Log Analytics to provide centralized processing of logs and generates insights and alerts from them. These capabilities include reporting, dashboarding, and analytics capabilities to get insights from incoming data and act on them. 58 | 59 | ### Org. Planned Controls 60 | 61 | TODO: Fill this out as needed or remove the section 62 | 63 | ### Org.'s Customer Responsibility 64 | 65 | TODO: Fill this out as needed or remove the section 66 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/au/au-06.05.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: AU-06(05) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Integrating audit record analysis with analysis of data/information collected from other sources to further identify suspicious activity within Org.-deployed resources. 38 | 2. Identify sources of information to integrate audit record analysis with (ex. Vulnerability scan data, performance data, system monitoring data, and/or Org.- defined data). 39 | 40 | Org. should clearly document in the section below how it implements controls requirements.. 41 | 42 | ### Implementation Statement 43 | 44 | Org. is responsible for integrating audit record analysis with analysis of data/information collected from other sources to further identify suspicious activity within Org.-deployed resources. 45 | 46 | Org. implements ______________________________________________________. 47 | 48 | TODO: Optional placeholder for non Azure, OSS or custom implementations 49 | 50 | Org. implements various Azure services to meet this control requirement such as _________________. 51 | 52 | Org. leverages Azure Policy to provide policy definitions to audit records with analysis of vulnerability assessment on virtual machines, virtual machine scale sets, SQL managed instances and SQL servers. These policy definitions also audit configuration of diagnostic logs to provide insight into operations that are performed within Azure resources. These insights provide real-time information about the security state of deployed resources and can help prioritize remediation actions. For detailed vulnerability scanning and monitoring, Azure Sentinel and Azure Security Center are leveraged as well. To enable the above functionality, Org. enables Vulnerability Assessment on Virtual Machines, on SQL servers, on SQL managed instances, and on SQL servers; as well as auditing diagnostic settings and Log Analytics Agent deployment on the VM image and in VMSS. In addition, Org. ensures that vulnerabilities are remediated in security configurations on virtual machine scale sets and on SQL databases using the Vulnerability assessment solution. 53 | 54 | ### Org. Planned Controls 55 | 56 | TODO: Fill this out as needed or remove the section 57 | 58 | ### Org.'s Customer Responsibility 59 | 60 | TODO: Fill this out as needed or remove the section 61 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/au/au-12.01.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: AU-12(01) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Compiling audit records into a system-wide audit trail for Org.-deployed resources (to include applications, operating systems, databases and software) 38 | 2. Addressing the level of tolerance allowed between time stamps of individual records in the audit trail. 39 | 40 | Org. should clearly document in the section below how it implements controls requirements. 41 | 42 | ### Implementation Statement 43 | 44 | Org. is responsible for compiling audit records into a system-wide audit trail for Org.-deployed resources (to include applications, operating systems, databases and software). 45 | 46 | Org. implements ______________________________________________________. 47 | 48 | TODO: Optional placeholder for non Azure, OSS or custom implementations 49 | 50 | Org. implements various Azure services to meet this control requirement such as _________________. 51 | 52 | Org. leverages Azure Policy to ensure system events are logged by assigning Azure Policy definitions that audit log settings on Azure resources. After defining resource types, the built-in policy checks whether diagnostic settings are enabled. 53 | 54 | ### Org. Planned Controls 55 | 56 | TODO: Fill this out as needed or remove the section 57 | 58 | ### Org.'s Customer Responsibility 59 | 60 | TODO: Fill this out as needed or remove the section 61 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/cm/cm-07.02.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: CM-07(02) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Preventing program execution in accordance with Org.-defined software program usage policies. 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements ______________________________________________________________. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. leverages Azure Policy to enable Adaptive application control in Azure Security Center. This provides end-to-end application whitelisting solution that can block or prevent specific software from running on Org. virtual machines. Org. can also enable enforcement mode that prohibits non-approved applications from running. Additionally, Org. can monitor virtual machines where an application whitelist is recommended but has not yet been configured. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/cm/cm-07.05.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: CM-07(02) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization: 30 | (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system]; 31 | 32 | (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and 33 | 34 | (c) Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency]. 35 | 36 | ### Org. Shared Responsibilities Guidance 37 | 38 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 39 | 40 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 41 | 42 | 1. Org. is responsible for employing a deny-all, permit-by-exception policy to allow the execution of authorized software programs on customer-deployed resources. The customer control implementation statement should address the employed policy. 43 | 2. Org. is responsible for reviewing and updating the list of authorized software programs at least monthly. 44 | 3. Org. is responsible for establishing a policy governing the installation of software on customer-deployed resources by users. 45 | 46 | Org. should clearly document in the section below how it implements controls requirements. 47 | 48 | ## Part a 49 | 50 | ### Implementation Statement 51 | 52 | Org. implements ______________________________________________________. 53 | 54 | TODO: Optional placeholder for non Azure, OSS or custom implementations 55 | 56 | Org. implements various Azure services to meet this control requirement such as _________________. 57 | 58 | Org. leverages Azure policies that enable Adaptive application control in Azure Security Center. Org. enables the enforcement mode that prohibits non-approved applications from running. Additionally, Org. can monitor virtual machines where an application whitelist is recommended but has not yet been configured. 59 | 60 | ### Org. Planned Controls 61 | 62 | TODO: Fill this out as needed or remove the section 63 | 64 | ### Org.'s Customer Responsibility 65 | 66 | TODO: Fill this out as needed or remove the section 67 | 68 | ## Part b 69 | 70 | ### Implementation Statement 71 | 72 | Org. implements ______________________________________________________. 73 | 74 | TODO: Optional placeholder for non Azure, OSS or custom implementations 75 | 76 | Org. implements various Azure services to meet this control requirement such as _________________. 77 | 78 | Org. leverages Azure Policy to enable Adaptive application control in Azure Security Center. Org. enables the enforcement mode that prohibits non-approved applications from running. Additionally, Org. can monitor virtual machines where an application whitelist is recommended but has not yet been configured. 79 | 80 | ### Org. Planned Controls 81 | 82 | TODO: Fill this out as needed or remove the section 83 | 84 | ### Org.'s Customer Responsibility 85 | 86 | TODO: Fill this out as needed or remove the section 87 | 88 | ## Part c 89 | 90 | ### Implementation Statement 91 | 92 | Org. implements ______________________________________________________. 93 | 94 | TODO: Optional placeholder for non Azure, OSS or custom implementations 95 | 96 | Org. implements various Azure services to meet this control requirement such as _________________. 97 | 98 | Org. leverages Azure policies that enable Adaptive application control in Azure Security Center. Org. enables the enforcement mode that prohibits non-approved applications from running. Additionally, Org. can monitor virtual machines where an application whitelist is recommended but has not yet been configured. 99 | 100 | ### Org. Planned Controls 101 | 102 | TODO: Fill this out as needed or remove the section 103 | 104 | ### Org.'s Customer Responsibility 105 | 106 | TODO: Fill this out as needed or remove the section 107 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/cm/cm-11.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: CM-11 FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization: 30 | 31 | a. Establishes [Assignment: organization-defined policies] governing the installation of software by users; 32 | 33 | b. Enforces software installation policies through [Assignment: organization-defined methods]; and 34 | 35 | c. Monitors policy compliance at [Assignment: organization-defined frequency]. 36 | 37 | ### Org. Shared Responsibilities Guidance 38 | 39 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 40 | 41 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 42 | 43 | 1. Establishing policy governing user-installed software on Org. deployed resources. (CM-11.a) 44 | 2. Enforcing the policy governing user-installed software on Org. deployed resources by users. (CM-11.b) 45 | 3. Monitor the compliance of the policy governing user-installed software on Org. deployed resources by users. (CM-11.c) 46 | 4. Define a frequency at which policy compliance is monitored. (CM-11.c) 47 | 48 | Org. should clearly document in the section below how it implements controls requirements. 49 | 50 | ## Part a 51 | 52 | ### Implementation Statement 53 | 54 | Org. implements ______________________________________________________. 55 | 56 | TODO: Optional placeholder for non Azure, OSS or custom implementations 57 | 58 | Org. implements various Azure services to meet this control requirement such as _________________. 59 | 60 | ### Org. Planned Controls 61 | 62 | TODO: Fill this out as needed or remove the section 63 | 64 | ### Org.'s Customer Responsibility 65 | 66 | TODO: Fill this out as needed or remove the section 67 | 68 | ## Part b 69 | 70 | ### Implementation Statement 71 | 72 | Org. implements ______________________________________________________. 73 | 74 | TODO: Optional placeholder for non Azure, OSS or custom implementations 75 | 76 | Org. implements various Azure services to meet this control requirement such as _________________. 77 | 78 | Org. leverages Azure Policy; using Adaptive application control in Azure Security Center to provide end-to-end application whitelisting solution that can block or prevent specific software from running on virtual machines. Application control can enforce and monitor compliance with software restriction policies. This Policy assigns an Azure Policy definition that helps monitor virtual machines. 79 | 80 | ### Org. Planned Controls 81 | 82 | TODO: Fill this out as needed or remove the section 83 | 84 | ### Org.'s Customer Responsibility 85 | 86 | TODO: Fill this out as needed or remove the section 87 | 88 | ## Part c 89 | 90 | ### Implementation Statement 91 | 92 | Org. implements ______________________________________________________. 93 | 94 | TODO: Optional placeholder for non Azure, OSS or custom implementations 95 | 96 | Org. implements various Azure services to meet this control requirement such as _________________. 97 | 98 | Org. leverages Azure Policy; using Adaptive application control in Azure Security Center that provides end-to-end application whitelisting solution that can block or prevent specific software from running on virtual machines. Application control can enforce and monitor compliance with software restriction policies. This Policy assigns an Azure Policy definition that helps monitor virtual machines. 99 | 100 | ### Org. Planned Controls 101 | 102 | TODO: Fill this out as needed or remove the section 103 | 104 | ### Org.'s Customer Responsibility 105 | 106 | TODO: Fill this out as needed or remove the section 107 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/cp/cp-09.05.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: CP-09(05) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization transfers information system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Establish time periods and transfer rate for the transfer of Org. back up data to the alternate site (to be consistent with Org.-defined recovery time objectives (RTO) and recovery point objectives (RPO)). 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements ______________________________________________________. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. leverages Azure Policy to assign Policy definitions that audit the organization's system backup information to the alternate storage site electronically. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/ia/ia-02.01.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: IA-02(01) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system implements multifactor authentication for network access to privileged accounts. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Implementing multifactor authentication (MFA) for network access to privileged accounts across the entire stack, including the application layer. 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements multifactor authentication for network access to privileged accounts across the entire stack of the information system environment. 44 | 45 | Org. implements ______________________________________________________. 46 | 47 | TODO: Optional placeholder for non Azure, OSS or custom implementations 48 | 49 | Org. implements various Azure services to meet this control requirement such as _________________. 50 | 51 | Org. leverages Azure Policy to restrict and control privileged access by assigning Policy definitions to audit accounts with owner and/or write permissions that don't have multi-factor authentication enabled. By monitoring accounts without multi-factor authentication enabled, Org. identifiess accounts that may be more likely to be compromised provided that MFA is enabled on accounts with owner/write permissions on the subscriptions. 52 | 53 | ### Org. Planned Controls 54 | 55 | TODO: Fill this out as needed or remove the section 56 | 57 | ### Org.'s Customer Responsibility 58 | 59 | TODO: Fill this out as needed or remove the section 60 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/ia/ia-02.02.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: IA-02(02) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system implements multifactor authentication for network access to non-privileged accounts. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Implementing multifactor authentication (MFA) for network access to non-privileged accounts across the entire stack, including the application layer. 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements multifactor authentication for network access to non-privileged accounts across the entire stack of the information system environment. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. leverages Azure Policy to restricts and controls privileged access by assigning Azure Policy definitions to audit accounts with read permissions that don't have multi-factor authentication enabled. By monitoring accounts without multi-factor authentication enabled, Org. identifies accounts that may be more likely to be compromised provided that MFA is enabled on accounts with read permissions on the subscriptions. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/ir/ir-06.02.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: IR-06(02) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization reports information system vulnerabilities associated with reported security incidents to [Assignment: organization-defined personnel or roles]. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Reporting the results and/or resulting information on system vulnerabilities associated with reported security incidents to aprropriately defined perssonnel with security roles 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements ______________________________________________________. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. leverages Azure Policy to provide policy definitions that audit records with analysis of vulnerability assessment on virtual machines, virtual machine scale sets, and SQL servers. These insights provide real-time information about the security state of Org. deployed resources and assists with prioritizing remediation actions. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/sc/sc-05.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: SC-05 FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards]. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Protect Org.-deployed resources from Org.-defined types of denial of service and define the security safeguards employed to protect against them. 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements ______________________________________________________. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. assigns an Azure Policy definition that audits if the DDoS standard tier is enabled. Network security groups are deployed to restrict external connectivity to resources deployed by this Policy. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/sc/sc-07.03.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: SC-07(03) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization limits the number of external network connections to the information system. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Limiting the number of external connections to the Org. environment to those that are necessary for fucntionality and operational effectiveness. 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements ______________________________________________________. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. leverages Azure Policy to use Just-in-time (JIT) virtual machine access which locks down inbound traffic to Azure virtual machines, reducing exposure to attacks while providing easy access to connect to VMs when needed. Org. uses JIT virtual machine access to limit the number of external connections to resources in Azure. This Policy assigns an Azure Policy definition that helps monitor virtual machines that can support just-in-time access but haven't yet been configured. Just-In-Time network access control are applied on virtual machines. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/sc/sc-07.04.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: SC-07(04) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [ ] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [ ] Shared (Service Provider and Customer Responsibility) 23 | * [x] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization: 30 | (a) Implements a managed interface for each external telecommunication service; 31 | 32 | (b) Establishes a traffic flow policy for each managed interface; 33 | 34 | (c) Protects the confidentiality and integrity of the information being transmitted across each interface; 35 | 36 | (d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and 37 | 38 | (e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need. 39 | 40 | ### Org. Shared Responsibilities Guidance 41 | 42 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 43 | 44 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 45 | 46 | 1. Boundary protection and access mechanisms related to protecting Virtual Machines 47 | 48 | Org. should clearly document in the section below how it implements controls requirements. 49 | 50 | ## Part a 51 | 52 | ### Implementation Statement 53 | 54 | Org. is responsible for all boundary protection and access mechanisms related to protecting Virtual Machines. 55 | 56 | TODO: Optional placeholder for non Azure, OSS or custom implementations 57 | 58 | Org. leverages Azure Policy to use Just-in-time (JIT) virtual machine access that locks down inbound traffic to Azure virtual machines, reducing exposure to attacks while providing easy access to connect to VMs when needed. JIT virtual machine access helps to manage exceptions to the traffic flow policy by facilitating the access request and approval processes. This Policy assigns an Azure Policy definition that helps monitor virtual machines that can support just-in-time access but haven't yet been configured. Just-In-Time network access control is applied on virtual machines. 59 | 60 | ### Org. Planned Controls 61 | 62 | TODO: Fill this out as needed or remove the section 63 | 64 | ### Org.'s Customer Responsibility 65 | 66 | TODO: Fill this out as needed or remove the section 67 | 68 | ## Part b 69 | 70 | ### Implementation Statement 71 | 72 | Please see SC-7 (4).a 73 | 74 | ### Org. Planned Controls 75 | 76 | TODO: Fill this out as needed or remove the section 77 | 78 | ### Org.'s Customer Responsibility 79 | 80 | TODO: Fill this out as needed or remove the section 81 | 82 | ## Part c 83 | 84 | ### Implementation Statement 85 | 86 | Please see SC-7 (4).a 87 | 88 | ### Org. Planned Controls 89 | 90 | TODO: Fill this out as needed or remove the section 91 | 92 | ### Org.'s Customer Responsibility 93 | 94 | TODO: Fill this out as needed or remove the section 95 | 96 | ## Part d 97 | 98 | ### Implementation Statement 99 | 100 | Please see SC-7 (4).a 101 | 102 | ### Org. Planned Controls 103 | 104 | TODO: Fill this out as needed or remove the section 105 | 106 | ### Org.'s Customer Responsibility 107 | 108 | TODO: Fill this out as needed or remove the section 109 | 110 | ## Part e 111 | 112 | ### Implementation Statement 113 | 114 | Please see SC-7 (4).a 115 | 116 | ### Org. Planned Controls 117 | 118 | TODO: Fill this out as needed or remove the section 119 | 120 | ### Org.'s Customer Responsibility 121 | 122 | TODO: Fill this out as needed or remove the section 123 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/sc/sc-07.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: SC-07 FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system: 30 | 31 | a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; 32 | 33 | b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and 34 | 35 | c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. 36 | 37 | ### Org. Shared Responsibilities Guidance 38 | 39 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 40 | 41 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 42 | 43 | 1. Monitoring and controlling communications at and within the boundaries of the Org.-deployed system. (SC-07.a) 44 | 2. Implementing subnetworks for Org. deployed resources to logically separate publicly accessible resources from internal resources. (SC-07.b) 45 | 3. Managing connections to external networks or systems using boundary protection devices arranged in accordance with Org. security architecture, to which connections to external networks or systems will be restricted. (SC-07.c) 46 | 47 | Org. should clearly document in the section below how it implements controls requirements. 48 | 49 | ## Part a 50 | 51 | ### Implementation Statement 52 | 53 | Org. implements ______________________________________________________. 54 | 55 | TODO: Optional placeholder for non Azure, OSS or custom implementations 56 | 57 | Org. implements various Azure services to meet this control requirement such as _________________. 58 | 59 | Org. leverages Azure Policy to manage and control the system boundary by assigning an Azure Policy definition that monitors for network security group hardening recommendations in Azure Security Center. Azure Security Center analyzes traffic patterns of Internet facing virtual machines and provides network security group rule recommendations to reduce the potential attack surface. Additionally, this Policy also assigns policy definitions that monitor unprotected endpoints, applications, and storage accounts. Endpoints and applications that aren't protected by a firewall, and storage accounts with unrestricted access can allow unintended access to information contained within the information system. Network security group event and diagnostic logs are collected by OMS Log Analytics to allow monitoring. 60 | 61 | ### Org. Planned Controls 62 | 63 | TODO: Fill this out as needed or remove the section 64 | 65 | ### Org.'s Customer Responsibility 66 | 67 | TODO: Fill this out as needed or remove the section 68 | 69 | ## Part b 70 | 71 | ### Implementation Statement 72 | 73 | Org. implements ______________________________________________________. 74 | 75 | TODO: Optional placeholder for non Azure, OSS or custom implementations 76 | 77 | Org. implements various Azure services to meet this control requirement such as _________________. 78 | 79 | Please see SC-7.a 80 | 81 | ### Org. Planned Controls 82 | 83 | TODO: Fill this out as needed or remove the section 84 | 85 | ### Org.'s Customer Responsibility 86 | 87 | TODO: Fill this out as needed or remove the section 88 | 89 | ## Part c 90 | 91 | ### Implementation Statement 92 | 93 | Org. implements ______________________________________________________. 94 | 95 | TODO: Optional placeholder for non Azure, OSS or custom implementations 96 | 97 | Org. implements various Azure services to meet this control requirement such as _________________. 98 | 99 | Please see SC-7.a 100 | 101 | ### Org. Planned Controls 102 | 103 | TODO: Fill this out as needed or remove the section 104 | 105 | ### Org.'s Customer Responsibility 106 | 107 | TODO: Fill this out as needed or remove the section 108 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/sc/sc-08.01.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: SC-08(01) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards]. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Implement cryptographic measures for all data in transit (transmission) using SSL certificates, at all Org. deployed locations; unless a Protected Distribution System (PDS) is implemented. 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements ______________________________________________________. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. leverages Azure Policy to protect the confidentiality and integrity of transmitted information by assigning Azure Policy definitions that help monitor cryptographic mechanisms implemented for communications protocols. This ensures communications are properly encrypted protects information from unauthorized disclosure and modification. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/sc/sc-28.01.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: SC-28(01) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components]. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following capabilities: 36 | 37 | 1. Implement cryptographic measures to prevent unauthorized disclosure and modification on, at a minimum, PII and classified information on any information system components storing data. 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements ______________________________________________________. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. leverages Azure Policy to enforce the use of cryptographic controls to protect information at rest by enforcing specific cryptograph controls and auditing the use of weak cryptographic settings. This allows Org. to take corrective actions to ensure resources are configured in accordance with their information security policy. Specifically, the policy definitions assigned require encryption for data lake storage accounts, require transparent data encryption on SQL databases, and audit missing encryption on SQL databases, virtual machine disks, and automation account variables. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/si/si-02.06.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: SI-02(06) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following: 36 | 37 | 1. Removing previous versions of software and/or firmware components from the information system after updates have been installed, if they were not removed during the install/update process. 38 | 39 | Org. should clearly document in the section below how implementation controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. removes organization-defined software and firmware components after updated versions have been installed. 44 | 45 | Org. leverages Azure infrastructure capabilities to inherit underlying resources and underlying controls related to software and firmware component updates and removal. Org. also manages resources that are configured and operating independent of the underlying Azure services. 46 | 47 | TODO: Optional placeholder for non Azure, OSS or custom implementations 48 | 49 | Org. implements various Azure services to meet this control requirement such as _________________. 50 | 51 | Org. leverages Azure Policy to assign policy definitions that confirm that Org. applications are using the latest version of the .NET Framework, HTTP, Java, PHP, Python, and TLS. Org. identifies out of date software versions if they exist by utilizing Azure policy and then removes them. 52 | 53 | ### Org. Planned Controls 54 | 55 | TODO: Fill this out as needed or remove the section 56 | 57 | ### Org.'s Customer Responsibility 58 | 59 | TODO: Fill this out as needed or remove the section 60 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/si/si-03.01.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: SI-3(01) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization centrally manages malicious code protection mechanisms. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following: 36 | 37 | 1. Define actions to take to review and confirm the potential impact or validity of false positives discovered during malicious code detection 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements ______________________________________________________. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. leverages Azure Policy to manage endpoint protection, including malicious code protection, by assigning Azure Policy definitions that monitor for missing endpoint protection on virtual machines in Azure Security Center. Azure Security Center provides centralized management and reporting capabilities that enable real-time insight into the security state of deployed Azure resources. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/si/si-04.12.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: SI-4(12) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts]. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following: 36 | 37 | 1. Employing an automated mechanisms to alert security personnel of the inappropriate or unusual activities with security implications (i.e.: suspicious activity reports, reports on potential insider threats) and when there are threats identified by authoritative sources (e.g. CTOs) and IAW with CJCSM 6510.01B. 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements ______________________________________________________. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. leverages Azure Policy to provide policy definitions that help ensure data security notifications are properly enabled. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/implementation-statements/si/si-04.18.md: -------------------------------------------------------------------------------- 1 | --- 2 | Title: SI-4(18) FedRAMP Control Enhancement 3 | ResponsibleRole: Org. Roles 4 | --- 5 | ## Implementation Status (check all that apply) 6 | 7 | * [x] Implemented 8 | * [ ] Partially implemented 9 | * [ ] Planned 10 | * [ ] Alternative implementation 11 | * [ ] Not applicable 12 | 13 | --- 14 | 15 | ## Control Origination (check all that apply) 16 | 17 | * [ ] Service Provider Corporate 18 | * [x] Service Provider System Specific 19 | * [ ] Service Provider Hybrid (Corporate and System Specific) 20 | * [ ] Configured by Customer (Customer System Specific) 21 | * [ ] Provided by Customer (Customer System Specific) 22 | * [x] Shared (Service Provider and Customer Responsibility) 23 | * [ ] Inherited from pre-existing FedRAMP Authorization 24 | 25 | --- 26 | 27 | ## Control Description 28 | 29 | The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information. 30 | 31 | ### Org. Shared Responsibilities Guidance 32 | 33 | All customers should review their Customer Responsibilities requirements as documented in Microsoft Azure SSPs. Customers are responsible for implementation and documentation of controls not inherited directly from Microsoft. This includes all controls where a Shared or Customer provided responsibility is defined by Microsoft Azure. 34 | 35 | If Org. enables relevant Azure policies to implement this control, Org. is still responsible for providing the following: 36 | 37 | 1. Analyzing outbound communications traffic at the external boundary of the information system/perimeter and other Org. defined interior points to detect covert exfiltration of information (i.e.: steganography). 38 | 39 | Org. should clearly document in the section below how it implements controls requirements. 40 | 41 | ### Implementation Statement 42 | 43 | Org. implements ______________________________________________________. 44 | 45 | TODO: Optional placeholder for non Azure, OSS or custom implementations 46 | 47 | Org. implements various Azure services to meet this control requirement such as _________________. 48 | 49 | Org. leverages Azure Policy and Advanced Threat Protection for Azure Storage to detect unusual and potentially harmful attempts to access or exploit storage accounts. Protection alerts, which can be indicators of covert exfiltration of information, include anomalous access patterns, anomalous extracts/uploads, and suspicious storage activity. 50 | 51 | ### Org. Planned Controls 52 | 53 | TODO: Fill this out as needed or remove the section 54 | 55 | ### Org.'s Customer Responsibility 56 | 57 | TODO: Fill this out as needed or remove the section 58 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/utils/authoring-assistant/README.md: -------------------------------------------------------------------------------- 1 | # Instructions 2 | 3 | Use the VSCode extension for improved experience of composing and managing 'implementation-statements' markdown files. Follow [these](https://code.visualstudio.com/docs/editor/extension-gallery#_install-from-a-vsix) instructions to install "vscode-ssp-assistant-0.0.6.vsix". 4 | 5 | ## Feedback 6 | 7 | For more information, questions, or feedback please [contact us](https://aka.ms/zerotrust-blueprint-feedback). 8 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/utils/authoring-assistant/vscode-ssp-assistant-0.0.6.vsix: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/ato-toolkit/64545620d82480c2e17d1e80b8938591338623c1/zero trust architecture blueprint/archive/utils/authoring-assistant/vscode-ssp-assistant-0.0.6.vsix -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/05088c37-2381-4674-aa64-d3022d3839e9.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3", 4 | "parameters": { 5 | "listOfAllowedSKUs": { 6 | "value": "[parameters('allowedVirtualMachineSKUs_listOfAllowedVirtualMachineSKUs')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed virtual machine SKUs" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/05088c37-2381-4674-aa64-d3022d3839e9", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "05088c37-2381-4674-aa64-d3022d3839e9" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/05af2b76-44e5-40c7-a400-2bf814c90331.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Enforce automatic OS upgrade with app health checks on VMSS" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/05af2b76-44e5-40c7-a400-2bf814c90331", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "05af2b76-44e5-40c7-a400-2bf814c90331" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/0d369266-ba61-408f-9224-b59407dd9219.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforLinuxVMs_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Linux VMs" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/0d369266-ba61-408f-9224-b59407dd9219", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "0d369266-ba61-408f-9224-b59407dd9219" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/15b2256e-6e50-497e-8c7b-12908ea3bcec.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforWindowsVMScaleSets_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/15b2256e-6e50-497e-8c7b-12908ea3bcec", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "15b2256e-6e50-497e-8c7b-12908ea3bcec" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/17932dfa-ef41-4773-bb3f-6d47ec231862.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1", 4 | "parameters": { 5 | "listOfAllowedSKUs": { 6 | "value": "[parameters('allowedStorageAccountSKUs_listOfAllowedStorageSKUs')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed storage account SKUs" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/17932dfa-ef41-4773-bb3f-6d47ec231862", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "17932dfa-ef41-4773-bb3f-6d47ec231862" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/2fa4484f-856a-412f-8f6b-4dbe43ece14e.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Require blob encryption for storage accounts" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/2fa4484f-856a-412f-8f6b-4dbe43ece14e", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "2fa4484f-856a-412f-8f6b-4dbe43ece14e" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/325a87d6-1147-4a81-a9b7-be40306f672a.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89", 4 | "parameters": { 5 | "storagePrefix": { 6 | "value": "[parameters('deployDiagnosticSettingsforNetworkSecurityGroups_storagePrefix')]" 7 | }, 8 | "rgName": { 9 | "value": "[parameters('deployDiagnosticSettingsforNetworkSecurityGroups_rgName')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "Deploy Diagnostic Settings for Network Security Groups" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/e923250e-d1b5-4d68-8d35-efe31f94be54", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "325a87d6-1147-4a81-a9b7-be40306f672a" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/3bcbd39e-142f-438c-8d60-bf1e7a7a646d.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy SQL DB transparent data encryption" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/3bcbd39e-142f-438c-8d60-bf1e7a7a646d", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "3bcbd39e-142f-438c-8d60-bf1e7a7a646d" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/4e8db8db-05a3-4595-aaae-efc24c749ad6.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133", 4 | "parameters": { 5 | "listOfAllowedLocationsForResourcesAndResourceGroups": { 6 | "value": "[parameters('listOfAllowedLocationsForResourcesAndResourceGroups')]" 7 | }, 8 | "membersToIncludeInAdministratorsLocalGroup": { 9 | "value": "[parameters('membersToIncludeInAdministratorsLocalGroup')]" 10 | }, 11 | "membersToExcludeInAdministratorsLocalGroup": { 12 | "value": "[parameters('membersToExcludeInAdministratorsLocalGroup')]" 13 | }, 14 | "listOfResourceTypes": { 15 | "value": "[parameters('listOfResourceTypes')]" 16 | }, 17 | "logAnalyticsWorkspaceIdForVMs": { 18 | "value": "[parameters('logAnalyticsWorkspaceIdForVMs')]" 19 | }, 20 | "longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect": { 21 | "value": "[parameters('longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect')]" 22 | }, 23 | "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": { 24 | "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]" 25 | }, 26 | "vulnerabilityAssessmentOnServerMonitoringEffect": { 27 | "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]" 28 | }, 29 | "geoRedundancyEnabledForStorageAccountsEffect": { 30 | "value": "[parameters('geoRedundancyEnabledForStorageAccountsEffect')]" 31 | }, 32 | "geoRedundancyEnabledForAzureDatabaseForMySQLEffect": { 33 | "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForMySQLEffect')]" 34 | }, 35 | "geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect": { 36 | "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect')]" 37 | }, 38 | "webAppEnforceHttpsMonitoringEffect": { 39 | "value": "[parameters('webAppEnforceHttpsMonitoringEffect')]" 40 | }, 41 | "functionAppEnforceHttpsMonitoringEffect": { 42 | "value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]" 43 | }, 44 | "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": { 45 | "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]" 46 | }, 47 | "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": { 48 | "value": "[parameters('identityRemoveExternalAccountWithReadPermissionsMonitoringEffect')]" 49 | }, 50 | "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": { 51 | "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]" 52 | }, 53 | "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": { 54 | "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]" 55 | }, 56 | "identityRemoveDeprecatedAccountMonitoringEffect": { 57 | "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]" 58 | }, 59 | "webAppRestrictCORSAccessMonitoringEffect": { 60 | "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]" 61 | }, 62 | "vmssSystemUpdatesMonitoringEffect": { 63 | "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" 64 | }, 65 | "identityEnableMFAForReadPermissionsMonitoringEffect": { 66 | "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]" 67 | }, 68 | "identityEnableMFAForOwnerPermissionsMonitoringEffect": { 69 | "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]" 70 | }, 71 | "identityEnableMFAForWritePermissionsMonitoringEffect": { 72 | "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]" 73 | } 74 | }, 75 | "dependsOn": [], 76 | "displayName": "DoD Impact Level 4" 77 | }, 78 | "kind": "policyAssignment", 79 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/0bf6c09a-e68c-4874-bf64-a568d4f5bc21", 80 | "type": "Microsoft.Blueprint/blueprints/artifacts", 81 | "name": "4e8db8db-05a3-4595-aaae-efc24c749ad6" 82 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/758c7b68-2444-44ef-8b96-88697b685ac0.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforWindowsVMs_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Windows VMs" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/758c7b68-2444-44ef-8b96-88697b685ac0", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "758c7b68-2444-44ef-8b96-88697b685ac0" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/86379ec5-5137-4be8-924a-fdac61206823.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy Threat Detection on SQL servers" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/86379ec5-5137-4be8-924a-fdac61206823", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "86379ec5-5137-4be8-924a-fdac61206823" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/9f359831-fbfd-456d-ac61-7a949d067a55.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy default Microsoft IaaSAntimalware extension for Windows Server" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/9f359831-fbfd-456d-ac61-7a949d067a55", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "9f359831-fbfd-456d-ac61-7a949d067a55" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/a0601552-2ed7-439f-a2f2-104130d3a20f.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy network watcher when virtual networks are created" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/a0601552-2ed7-439f-a2f2-104130d3a20f", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "a0601552-2ed7-439f-a2f2-104130d3a20f" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/a76b04dc-bab8-4e73-9968-be509cfa88b6.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy Advanced Data Security on SQL servers" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/a76b04dc-bab8-4e73-9968-be509cfa88b6", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "a76b04dc-bab8-4e73-9968-be509cfa88b6" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/ad448639-d7d1-4f19-a459-02a6883d3a50.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", 4 | "parameters": { 5 | "listOfAllowedLocations": { 6 | "value": "[parameters('listOfAllowedLocationsForResourcesAndResourceGroups')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed locations for resource groups" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/ad448639-d7d1-4f19-a459-02a6883d3a50", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "ad448639-d7d1-4f19-a459-02a6883d3a50" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/bcd7c4f1-5fed-4934-8e08-f76d0779ff27.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforLinuxVMScaleSets_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/bcd7c4f1-5fed-4934-8e08-f76d0779ff27", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "bcd7c4f1-5fed-4934-8e08-f76d0779ff27" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/bfb71af3-5e93-4fef-8d82-1268fbb70867.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036", 4 | "parameters": { 5 | "retentionDays": { 6 | "value": "[parameters('deployAuditingonSQLservers_retentionDays')]" 7 | }, 8 | "storageAccountsResourceGroup": { 9 | "value": "[parameters('deployAuditingonSQLservers_storageAccountsResourceGroup')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "Deploy Auditing on SQL servers" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/0e6ae2e3-b1a4-4535-88e5-54560dd0e966", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "bfb71af3-5e93-4fef-8d82-1268fbb70867" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/e2e95399-ff59-48b9-9985-504a5eedd7af.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", 4 | "parameters": { 5 | "listOfAllowedLocations": { 6 | "value": "[parameters('listOfAllowedLocationsForResourcesAndResourceGroups')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed locations" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/e2e95399-ff59-48b9-9985-504a5eedd7af", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "e2e95399-ff59-48b9-9985-504a5eedd7af" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/blueprint/artifacts/security-center.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "template": { 4 | "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", 5 | "contentVersion": "1.0.0.1", 6 | "variables": { 7 | "pricing": "Standard" 8 | }, 9 | "resources": [ 10 | { 11 | "type": "Microsoft.Security/pricings", 12 | "apiVersion": "2017-08-01-preview", 13 | "name": "default", 14 | "properties": { 15 | "pricingTier": "[variables('pricing')]" 16 | } 17 | }, 18 | { 19 | "type": "Microsoft.Security/pricings", 20 | "apiVersion": "2018-06-01", 21 | "name": "SqlServers", 22 | "dependsOn": [ 23 | "[concat('Microsoft.Security/pricings/default')]" 24 | ], 25 | "properties": { 26 | "pricingTier": "[variables('pricing')]" 27 | } 28 | }, 29 | { 30 | "type": "Microsoft.Security/pricings", 31 | "apiVersion": "2018-06-01", 32 | "name": "VirtualMachines", 33 | "dependsOn": [ 34 | "[concat('Microsoft.Security/pricings/SqlServers')]" 35 | ], 36 | "properties": { 37 | "pricingTier": "[variables('pricing')]" 38 | } 39 | }, 40 | { 41 | "type": "Microsoft.Security/pricings", 42 | "apiVersion": "2018-06-01", 43 | "name": "StorageAccounts", 44 | "dependsOn": [ 45 | "[concat('Microsoft.Security/pricings/VirtualMachines')]" 46 | ], 47 | "properties": { 48 | "pricingTier": "[variables('pricing')]" 49 | } 50 | } 51 | ], 52 | "outputs": {} 53 | }, 54 | "parameters": {}, 55 | "dependsOn": [], 56 | "displayName": "Azure Security Center template", 57 | "description": "" 58 | }, 59 | "kind": "template", 60 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/security-center", 61 | "type": "Microsoft.Blueprint/blueprints/artifacts", 62 | "name": "security-center" 63 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/run.policy.template.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "policyAssignmentName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Specifies the name of the policy assignment." 9 | } 10 | }, 11 | "policyDefinitionID": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Specifies the ID of the policy definition or policy set definition being assigned." 15 | } 16 | }, 17 | "location": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Specifies the resource location for system assigned identity of the policy assignment." 21 | } 22 | }, 23 | "scope": { 24 | "type": "string", 25 | "defaultValue": "[subscription().id]", 26 | "metadata": { 27 | "description": "Specifies the scope of the where you want to assign the policy." 28 | } 29 | } 30 | }, 31 | "resources": [ 32 | { 33 | "type": "Microsoft.Authorization/policyAssignments", 34 | "name": "[parameters('policyAssignmentName')]", 35 | "apiVersion": "2018-05-01", 36 | "location": "[parameters('location')]", 37 | "identity": { 38 | "type": "SystemAssigned" 39 | }, 40 | "properties": { 41 | "scope": "[parameters('scope')]", 42 | "policyDefinitionId": "[parameters('policyDefinitionID')]" 43 | } 44 | } 45 | ] 46 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/scripts/DownloadPowerShellModules.ps1: -------------------------------------------------------------------------------- 1 | . "$PSScriptRoot/RequiredModules.ps1" 2 | 3 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force 4 | 5 | $requiredModules = Get-RequiredModules 6 | 7 | # Install the required modules 8 | foreach($requiredModule in $requiredModules) { 9 | Install-module -Name $requiredModule.ModuleName -RequiredVersion $requiredModule.ModuleVersion -Force 10 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/scripts/RequiredModules.ps1: -------------------------------------------------------------------------------- 1 | function Get-RequiredModules { 2 | return @( 3 | @{ModuleName = 'AuditPolicyDsc'; ModuleVersion = '1.2.0.0'}, 4 | @{ModuleName = 'AuditSystemDsc'; ModuleVersion = '1.1.0'}, 5 | @{ModuleName = 'AccessControlDsc'; ModuleVersion = '1.4.0.0'}, 6 | @{ModuleName = 'ComputerManagementDsc'; ModuleVersion = '6.2.0.0'}, 7 | @{ModuleName = 'FileContentDsc'; ModuleVersion = '1.1.0.108'}, 8 | @{ModuleName = 'GPRegistryPolicyDsc'; ModuleVersion = '1.2.0'}, 9 | @{ModuleName = 'PSDscResources'; ModuleVersion = '2.10.0.0'}, 10 | @{ModuleName = 'SecurityPolicyDsc'; ModuleVersion = '2.4.0.0'}, 11 | @{ModuleName = 'SqlServerDsc'; ModuleVersion = '13.3.0'}, 12 | @{ModuleName = 'WindowsDefenderDsc'; ModuleVersion = '1.0.0.0'}, 13 | @{ModuleName = 'xDnsServer'; ModuleVersion = '1.11.0.0'}, 14 | @{ModuleName = 'xWebAdministration'; ModuleVersion = '2.5.0.0'}, 15 | @{ModuleName = 'cChoco'; ModuleVersion = '2.4.0.0'}, 16 | @{ModuleName = 'xPSDesiredStateConfiguration'; ModuleVersion = '9.1.0'} 17 | @{ModuleName = 'PowerSTIG'; ModuleVersion = '4.3.0'} 18 | ) 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/scripts/build.ps1: -------------------------------------------------------------------------------- 1 | . "$PSScriptRoot/RequiredModules.ps1" 2 | 3 | if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` 4 | [Security.Principal.WindowsBuiltInRole] "Administrator")) { 5 | throw "Insufficient permissions to run this script. Open the PowerShell console as an administrator and run this script again." 6 | } 7 | 8 | # We will output everything to the deployment root. 9 | $publicDirectory = "$PSScriptRoot\dependencies" 10 | 11 | # Bundle the Windows 2019 STIG DSC zip 12 | $windowsStigDscPackageRoot = "WindowsServer2019Workgroup" 13 | $windowsStigDscConfigFilename = "WindowsServer2019Workgroup.ps1" 14 | $windowsStigDscPackageRootPath = "$PSScriptRoot\source\$windowsStigDscPackageRoot" 15 | 16 | # Bundle the online STIG DSC zip 17 | New-Item -Path "$publicDirectory\online" -ItemType "directory" -ErrorAction SilentlyContinue 18 | Compress-Archive -Path "$windowsStigDscPackageRootPath\**" -DestinationPath "$publicDirectory\online\$windowsStigDscConfigFilename.zip" -Force 19 | 20 | # Bundle the offline STIG DSC zip 21 | $requiredModules = Get-RequiredModules 22 | $buildDirectory = "$PSScriptRoot\temp.usr" 23 | Remove-Item $buildDirectory -Recurse -Confirm:$false -Force -ErrorAction SilentlyContinue 24 | 25 | New-Item -Path $buildDirectory -ItemType "directory" 26 | Copy-Item -Path "$windowsStigDscPackageRootPath" -Destination "$buildDirectory" -Recurse 27 | 28 | foreach($requiredModule in $requiredModules) { 29 | $FullyQualifedName = @{ModuleName="$($requiredModule.ModuleName)";ModuleVersion="$($requiredModule.ModuleVersion)"} 30 | $ModulePath = (Get-Module -FullyQualifiedName $FullyQualifedName -ListAvailable)[0].ModuleBase | Split-Path 31 | Write-Verbose "Copying $ModulePath to build folder." 32 | Copy-Item -Path "$ModulePath" -Destination "$buildDirectory\$windowsStigDscPackageRoot" -Recurse 33 | } 34 | 35 | # Zip up the DSC package into the format expected by the DSC VM Extension 36 | New-Item -Path "$publicDirectory\offline" -ItemType "directory" -ErrorAction SilentlyContinue 37 | Compress-Archive -Path "$buildDirectory\$windowsStigDscPackageRoot\**" -DestinationPath "$publicDirectory\offline\$windowsStigDscConfigFilename.zip" -Force 38 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/scripts/dependencies/offline/apply-stigs.sh: -------------------------------------------------------------------------------- 1 | # set up variables needed 2 | workingFolder="/var/tmp/zta-files" 3 | archive="offline-zta.tar.gz" 4 | offlineRepoName="offline-zta-repo" 5 | stigFile="rhel7.sh" 6 | 7 | # create the working folder 8 | echo "..creating the working folder: $workingFolder" 9 | mkdir $workingFolder 10 | 11 | # uncompress the archive 12 | echo "..uncompressing archive to: $workingFolder" 13 | tar -xzvf "$archive" -C "$workingFolder" 14 | 15 | # create an entry for the repo 16 | echo "..creating repo file: /etc/yum.repos.d/$offlineRepoName.repo" 17 | cat > /etc/yum.repos.d/$offlineRepoName.repo<< EOF 18 | [offline-zta-repo] 19 | name=$offlineRepoName 20 | baseurl=file:///$workingFolder/$offlineRepoName 21 | enabled=0 22 | gpgcheck=1 23 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 24 | EOF 25 | 26 | # run the stig script 27 | echo "..executing stig script: $stigFile" 28 | bash "$stigFile" 29 | 30 | # remove the repo file and working folder 31 | echo "..stig script done. Time for cleanup" 32 | echo "..removing repo file: /etc/yum.repos.d/$offlineRepoName.repo" 33 | rm -f /etc/yum.repos.d/$offlineRepoName.repo 34 | echo "..removing working folder: $workingFolder" 35 | rm -r $workingFolder 36 | 37 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/scripts/dependencies/online/apply-stigs.sh: -------------------------------------------------------------------------------- 1 | stigFile="rhel7.sh" 2 | 3 | # run the stig script 4 | echo "..executing stig script: $stigFile" 5 | bash "$stigFile" 6 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture-offline/scripts/upload.ps1: -------------------------------------------------------------------------------- 1 | Param( 2 | [string] 3 | [Parameter(Mandatory = $true)] 4 | $ResourcePrefix, 5 | 6 | [string] 7 | $Region = "usgovarizona" 8 | ) 9 | 10 | function Create-ArtifactStorageAccount { 11 | param( 12 | [Parameter(Mandatory = $True)] 13 | [string] 14 | $ResourceGroupName, 15 | 16 | [Parameter(Mandatory = $True)] 17 | [string] 18 | $Region, 19 | 20 | [Parameter(Mandatory = $True)] 21 | [string] 22 | $artifactStorageAccountName 23 | ) 24 | 25 | $existingAccount = (Get-AzStorageAccount | Where-Object { $_.StorageAccountName -eq $artifactStorageAccountName }) 26 | 27 | if (!$existingAccount) { 28 | Write-Host "Creating a new artifact storage account $artifactStorageAccountName" 29 | $existingAccount = New-AzStorageAccount -ResourceGroupName $ResourceGroupName ` 30 | -Name $artifactStorageAccountName ` 31 | -Location $Region ` 32 | -SkuName Standard_GRS ` 33 | -Kind Storage ` 34 | -EnableHttpsTrafficOnly $true 35 | } 36 | else { 37 | Write-Host "Using existing artifact storage account $artifactStorageAccountName" 38 | } 39 | } 40 | 41 | function Upload-Artifacts { 42 | param( 43 | [Parameter(Mandatory = $True)] 44 | [string] 45 | $artifactStorageAccountName, 46 | 47 | [Parameter(Mandatory = $True)] 48 | [string] 49 | $containerName, 50 | 51 | [Parameter(Mandatory = $True)] 52 | [string] 53 | $LocalDirectoryToStage 54 | ) 55 | 56 | $storageAccount = (Get-AzStorageAccount | Where-Object { $_.StorageAccountName -eq $artifactStorageAccountName }) 57 | 58 | $Container = New-AzStorageContainer -Name $containerName -Context $storageAccount.Context -Permission Container -ErrorAction SilentlyContinue *>&1 59 | 60 | $FilesToStage = Get-ChildItem $LocalDirectoryToStage -Recurse -File 61 | Write-Host "Found $($FilesToStage.count) file(s) at path $LocalDirectoryToStage" 62 | 63 | foreach ($FileToStage in $FilesToStage) { 64 | # Keep the source folder structure 65 | $blobName = ($FileToStage.fullname.Substring($LocalDirectoryToStage.Length)).Replace("\", "/").trim("/") 66 | 67 | $BlobContent = Set-AzStorageBlobContent -File $FileToStage.FullName -Blob "$blobName" ` 68 | -Container $containerName ` 69 | -Context $storageAccount.Context ` 70 | -BlobType "Block" ` 71 | -Force 72 | } 73 | 74 | Write-Host "Uploaded $($FilesToStage.Count) file(s) to Container '$($containerName)' in Storage Account '$($artifactStorageAccountName)'." 75 | return $storageAccount.Context.BlobEndPoint + $containerName 76 | } 77 | 78 | 79 | $containerName = "artifacts" 80 | $artifactStorageAccountName = "$($ResourcePrefix)artifacts" 81 | $artifactResourceGroupName = "$($ResourcePrefix)-artifacts" 82 | $buildPath = "$PSScriptRoot\dependencies" 83 | 84 | # Create the artifact storage account and stage the deployment files 85 | New-AzResourceGroup -Name $artifactResourceGroupName -Location $Region -Verbose -Force 86 | Create-ArtifactStorageAccount -ArtifactStorageAccountName $artifactStorageAccountName -ResourceGroupName $artifactResourceGroupName -Region $Region 87 | $deploymentTemplateRoot = Upload-Artifacts -ArtifactStorageAccountName $artifactStorageAccountName -ContainerName $containerName -LocalDirectoryToStage $buildPath 88 | 89 | Write-Host $deploymentTemplateRoot 90 | 91 | 92 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/05088c37-2381-4674-aa64-d3022d3839e9.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3", 4 | "parameters": { 5 | "listOfAllowedSKUs": { 6 | "value": "[parameters('allowedVirtualMachineSKUs_listOfAllowedVirtualMachineSKUs')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed virtual machine SKUs" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/05088c37-2381-4674-aa64-d3022d3839e9", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "05088c37-2381-4674-aa64-d3022d3839e9" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/05af2b76-44e5-40c7-a400-2bf814c90331.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Enforce automatic OS upgrade with app health checks on VMSS" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/05af2b76-44e5-40c7-a400-2bf814c90331", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "05af2b76-44e5-40c7-a400-2bf814c90331" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/0d369266-ba61-408f-9224-b59407dd9219.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforLinuxVMs_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Linux VMs" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/0d369266-ba61-408f-9224-b59407dd9219", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "0d369266-ba61-408f-9224-b59407dd9219" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/15b2256e-6e50-497e-8c7b-12908ea3bcec.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforWindowsVMScaleSets_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/15b2256e-6e50-497e-8c7b-12908ea3bcec", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "15b2256e-6e50-497e-8c7b-12908ea3bcec" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/17932dfa-ef41-4773-bb3f-6d47ec231862.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1", 4 | "parameters": { 5 | "listOfAllowedSKUs": { 6 | "value": "[parameters('allowedStorageAccountSKUs_listOfAllowedStorageSKUs')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed storage account SKUs" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/17932dfa-ef41-4773-bb3f-6d47ec231862", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "17932dfa-ef41-4773-bb3f-6d47ec231862" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/2fa4484f-856a-412f-8f6b-4dbe43ece14e.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Require blob encryption for storage accounts" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/2fa4484f-856a-412f-8f6b-4dbe43ece14e", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "2fa4484f-856a-412f-8f6b-4dbe43ece14e" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/325a87d6-1147-4a81-a9b7-be40306f672a.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89", 4 | "parameters": { 5 | "storagePrefix": { 6 | "value": "[parameters('deployDiagnosticSettingsforNetworkSecurityGroups_storagePrefix')]" 7 | }, 8 | "rgName": { 9 | "value": "[parameters('deployDiagnosticSettingsforNetworkSecurityGroups_rgName')]" 10 | } 11 | }, 12 | "dependsOn": [ 13 | 14 | ], 15 | "displayName": "Deploy Diagnostic Settings for Network Security Groups" 16 | }, 17 | "kind": "policyAssignment", 18 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/e923250e-d1b5-4d68-8d35-efe31f94be54", 19 | "type": "Microsoft.Blueprint/blueprints/artifacts", 20 | "name": "325a87d6-1147-4a81-a9b7-be40306f672a" 21 | } 22 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/3bcbd39e-142f-438c-8d60-bf1e7a7a646d.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy SQL DB transparent data encryption" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/3bcbd39e-142f-438c-8d60-bf1e7a7a646d", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "3bcbd39e-142f-438c-8d60-bf1e7a7a646d" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/4e8db8db-05a3-4595-aaae-efc24c749ad6.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133", 4 | "parameters": { 5 | "listOfAllowedLocationsForResourcesAndResourceGroups": { 6 | "value": "[parameters('listOfAllowedLocationsForResourcesAndResourceGroups')]" 7 | }, 8 | "membersToIncludeInAdministratorsLocalGroup": { 9 | "value": "[parameters('membersToIncludeInAdministratorsLocalGroup')]" 10 | }, 11 | "membersToExcludeInAdministratorsLocalGroup": { 12 | "value": "[parameters('membersToExcludeInAdministratorsLocalGroup')]" 13 | }, 14 | "listOfResourceTypes": { 15 | "value": "[parameters('listOfResourceTypes')]" 16 | }, 17 | "logAnalyticsWorkspaceIdForVMs": { 18 | "value": "[parameters('logAnalyticsWorkspaceIdForVMs')]" 19 | }, 20 | "longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect": { 21 | "value": "[parameters('longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect')]" 22 | }, 23 | "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": { 24 | "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]" 25 | }, 26 | "vulnerabilityAssessmentOnServerMonitoringEffect": { 27 | "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]" 28 | }, 29 | "geoRedundancyEnabledForStorageAccountsEffect": { 30 | "value": "[parameters('geoRedundancyEnabledForStorageAccountsEffect')]" 31 | }, 32 | "geoRedundancyEnabledForAzureDatabaseForMySQLEffect": { 33 | "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForMySQLEffect')]" 34 | }, 35 | "geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect": { 36 | "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect')]" 37 | }, 38 | "webAppEnforceHttpsMonitoringEffect": { 39 | "value": "[parameters('webAppEnforceHttpsMonitoringEffect')]" 40 | }, 41 | "functionAppEnforceHttpsMonitoringEffect": { 42 | "value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]" 43 | }, 44 | "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": { 45 | "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]" 46 | }, 47 | "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": { 48 | "value": "[parameters('identityRemoveExternalAccountWithReadPermissionsMonitoringEffect')]" 49 | }, 50 | "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": { 51 | "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]" 52 | }, 53 | "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": { 54 | "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]" 55 | }, 56 | "identityRemoveDeprecatedAccountMonitoringEffect": { 57 | "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]" 58 | }, 59 | "webAppRestrictCORSAccessMonitoringEffect": { 60 | "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]" 61 | }, 62 | "vmssSystemUpdatesMonitoringEffect": { 63 | "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" 64 | }, 65 | "identityEnableMFAForReadPermissionsMonitoringEffect": { 66 | "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]" 67 | }, 68 | "identityEnableMFAForOwnerPermissionsMonitoringEffect": { 69 | "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]" 70 | }, 71 | "identityEnableMFAForWritePermissionsMonitoringEffect": { 72 | "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]" 73 | } 74 | }, 75 | "dependsOn": [ 76 | 77 | ], 78 | "displayName": "DoD Impact Level 4" 79 | }, 80 | "kind": "policyAssignment", 81 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/0bf6c09a-e68c-4874-bf64-a568d4f5bc21", 82 | "type": "Microsoft.Blueprint/blueprints/artifacts", 83 | "name": "4e8db8db-05a3-4595-aaae-efc24c749ad6" 84 | } 85 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/758c7b68-2444-44ef-8b96-88697b685ac0.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforWindowsVMs_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Windows VMs" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/758c7b68-2444-44ef-8b96-88697b685ac0", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "758c7b68-2444-44ef-8b96-88697b685ac0" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/86379ec5-5137-4be8-924a-fdac61206823.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy Threat Detection on SQL servers" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/86379ec5-5137-4be8-924a-fdac61206823", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "86379ec5-5137-4be8-924a-fdac61206823" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/939c6f4a-da98-4c2e-9d87-ba25bb8f0c23.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "template": { 4 | "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", 5 | "contentVersion": "1.0.0.1", 6 | "variables": {}, 7 | "resources": [ 8 | { 9 | "type": "Microsoft.Security/pricings", 10 | "apiVersion": "2017-08-01-preview", 11 | "name": "default", 12 | "properties": { 13 | "pricingTier": "Standard" 14 | } 15 | } 16 | ], 17 | "outputs": {} 18 | }, 19 | "parameters": {}, 20 | "dependsOn": [], 21 | "displayName": "Azure Security Center template", 22 | "description": "" 23 | }, 24 | "kind": "template", 25 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/939c6f4a-da98-4c2e-9d87-ba25bb8f0c23", 26 | "type": "Microsoft.Blueprint/blueprints/artifacts", 27 | "name": "939c6f4a-da98-4c2e-9d87-ba25bb8f0c23" 28 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/9f359831-fbfd-456d-ac61-7a949d067a55.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy default Microsoft IaaSAntimalware extension for Windows Server" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/9f359831-fbfd-456d-ac61-7a949d067a55", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "9f359831-fbfd-456d-ac61-7a949d067a55" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/a0601552-2ed7-439f-a2f2-104130d3a20f.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy network watcher when virtual networks are created" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/a0601552-2ed7-439f-a2f2-104130d3a20f", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "a0601552-2ed7-439f-a2f2-104130d3a20f" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/a76b04dc-bab8-4e73-9968-be509cfa88b6.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy Advanced Data Security on SQL servers" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/a76b04dc-bab8-4e73-9968-be509cfa88b6", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "a76b04dc-bab8-4e73-9968-be509cfa88b6" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/ad448639-d7d1-4f19-a459-02a6883d3a50.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", 4 | "parameters": { 5 | "listOfAllowedLocations": { 6 | "value": "[parameters('listOfAllowedLocationsForResourcesAndResourceGroups')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed locations for resource groups" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/ad448639-d7d1-4f19-a459-02a6883d3a50", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "ad448639-d7d1-4f19-a459-02a6883d3a50" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/bcd7c4f1-5fed-4934-8e08-f76d0779ff27.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforLinuxVMScaleSets_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [ 13 | 14 | ], 15 | "displayName": "[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)" 16 | }, 17 | "kind": "policyAssignment", 18 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/bcd7c4f1-5fed-4934-8e08-f76d0779ff27", 19 | "type": "Microsoft.Blueprint/blueprints/artifacts", 20 | "name": "bcd7c4f1-5fed-4934-8e08-f76d0779ff27" 21 | } 22 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/bfb71af3-5e93-4fef-8d82-1268fbb70867.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036", 4 | "parameters": { 5 | "retentionDays": { 6 | "value": "[parameters('deployAuditingonSQLservers_retentionDays')]" 7 | }, 8 | "storageAccountsResourceGroup": { 9 | "value": "[parameters('deployAuditingonSQLservers_storageAccountsResourceGroup')]" 10 | } 11 | }, 12 | "dependsOn": [ 13 | 14 | ], 15 | "displayName": "Deploy Auditing on SQL servers" 16 | }, 17 | "kind": "policyAssignment", 18 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/0e6ae2e3-b1a4-4535-88e5-54560dd0e966", 19 | "type": "Microsoft.Blueprint/blueprints/artifacts", 20 | "name": "bfb71af3-5e93-4fef-8d82-1268fbb70867" 21 | } 22 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/archive/zero-trust-architecture/blueprint/artifacts/e2e95399-ff59-48b9-9985-504a5eedd7af.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", 4 | "parameters": { 5 | "listOfAllowedLocations": { 6 | "value": "[parameters('listOfAllowedLocationsForResourcesAndResourceGroups')]" 7 | } 8 | }, 9 | "dependsOn": [ 10 | 11 | ], 12 | "displayName": "Allowed locations" 13 | }, 14 | "kind": "policyAssignment", 15 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/e2e95399-ff59-48b9-9985-504a5eedd7af", 16 | "type": "Microsoft.Blueprint/blueprints/artifacts", 17 | "name": "e2e95399-ff59-48b9-9985-504a5eedd7af" 18 | } 19 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/05088c37-2381-4674-aa64-d3022d3839e9.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3", 4 | "parameters": { 5 | "listOfAllowedSKUs": { 6 | "value": "[parameters('allowedVirtualMachineSKUs_listOfAllowedVirtualMachineSKUs')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed virtual machine SKUs" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/05088c37-2381-4674-aa64-d3022d3839e9", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "05088c37-2381-4674-aa64-d3022d3839e9" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/05af2b76-44e5-40c7-a400-2bf814c90331.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Enforce automatic OS upgrade with app health checks on VMSS" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/05af2b76-44e5-40c7-a400-2bf814c90331", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "05af2b76-44e5-40c7-a400-2bf814c90331" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/0d369266-ba61-408f-9224-b59407dd9219.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforLinuxVMs_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Linux VMs" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/0d369266-ba61-408f-9224-b59407dd9219", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "0d369266-ba61-408f-9224-b59407dd9219" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/15b2256e-6e50-497e-8c7b-12908ea3bcec.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforWindowsVMScaleSets_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/15b2256e-6e50-497e-8c7b-12908ea3bcec", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "15b2256e-6e50-497e-8c7b-12908ea3bcec" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/17932dfa-ef41-4773-bb3f-6d47ec231862.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1", 4 | "parameters": { 5 | "listOfAllowedSKUs": { 6 | "value": "[parameters('allowedStorageAccountSKUs_listOfAllowedStorageSKUs')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed storage account SKUs" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/17932dfa-ef41-4773-bb3f-6d47ec231862", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "17932dfa-ef41-4773-bb3f-6d47ec231862" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/2fa4484f-856a-412f-8f6b-4dbe43ece14e.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Require blob encryption for storage accounts" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/2fa4484f-856a-412f-8f6b-4dbe43ece14e", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "2fa4484f-856a-412f-8f6b-4dbe43ece14e" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/325a87d6-1147-4a81-a9b7-be40306f672a.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89", 4 | "parameters": { 5 | "storagePrefix": { 6 | "value": "[parameters('deployDiagnosticSettingsforNetworkSecurityGroups_storagePrefix')]" 7 | }, 8 | "rgName": { 9 | "value": "[parameters('deployDiagnosticSettingsforNetworkSecurityGroups_rgName')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "Deploy Diagnostic Settings for Network Security Groups" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/e923250e-d1b5-4d68-8d35-efe31f94be54", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "325a87d6-1147-4a81-a9b7-be40306f672a" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/3bcbd39e-142f-438c-8d60-bf1e7a7a646d.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy SQL DB transparent data encryption" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/3bcbd39e-142f-438c-8d60-bf1e7a7a646d", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "3bcbd39e-142f-438c-8d60-bf1e7a7a646d" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/4e8db8db-05a3-4595-aaae-efc24c749ad6.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/8d792a84-723c-4d92-a3c3-e4ed16a2d133", 4 | "parameters": { 5 | "listOfAllowedLocationsForResourcesAndResourceGroups": { 6 | "value": "[parameters('listOfAllowedLocationsForResourcesAndResourceGroups')]" 7 | }, 8 | "membersToIncludeInAdministratorsLocalGroup": { 9 | "value": "[parameters('membersToIncludeInAdministratorsLocalGroup')]" 10 | }, 11 | "membersToExcludeInAdministratorsLocalGroup": { 12 | "value": "[parameters('membersToExcludeInAdministratorsLocalGroup')]" 13 | }, 14 | "listOfResourceTypes": { 15 | "value": "[parameters('listOfResourceTypes')]" 16 | }, 17 | "logAnalyticsWorkspaceIdForVMs": { 18 | "value": "[parameters('logAnalyticsWorkspaceIdForVMs')]" 19 | }, 20 | "longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect": { 21 | "value": "[parameters('longtermGeoRedundantBackupEnabledAzureSQLDatabasesEffect')]" 22 | }, 23 | "vulnerabilityAssessmentOnManagedInstanceMonitoringEffect": { 24 | "value": "[parameters('vulnerabilityAssessmentOnManagedInstanceMonitoringEffect')]" 25 | }, 26 | "vulnerabilityAssessmentOnServerMonitoringEffect": { 27 | "value": "[parameters('vulnerabilityAssessmentOnServerMonitoringEffect')]" 28 | }, 29 | "geoRedundancyEnabledForStorageAccountsEffect": { 30 | "value": "[parameters('geoRedundancyEnabledForStorageAccountsEffect')]" 31 | }, 32 | "geoRedundancyEnabledForAzureDatabaseForMySQLEffect": { 33 | "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForMySQLEffect')]" 34 | }, 35 | "geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect": { 36 | "value": "[parameters('geoRedundancyEnabledForAzureDatabaseForPostgreSQLEffect')]" 37 | }, 38 | "webAppEnforceHttpsMonitoringEffect": { 39 | "value": "[parameters('webAppEnforceHttpsMonitoringEffect')]" 40 | }, 41 | "functionAppEnforceHttpsMonitoringEffect": { 42 | "value": "[parameters('functionAppEnforceHttpsMonitoringEffect')]" 43 | }, 44 | "identityRemoveExternalAccountWithWritePermissionsMonitoringEffect": { 45 | "value": "[parameters('identityRemoveExternalAccountWithWritePermissionsMonitoringEffect')]" 46 | }, 47 | "identityRemoveExternalAccountWithReadPermissionsMonitoringEffect": { 48 | "value": "[parameters('identityRemoveExternalAccountWithReadPermissionsMonitoringEffect')]" 49 | }, 50 | "identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect": { 51 | "value": "[parameters('identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect')]" 52 | }, 53 | "identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect": { 54 | "value": "[parameters('identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect')]" 55 | }, 56 | "identityRemoveDeprecatedAccountMonitoringEffect": { 57 | "value": "[parameters('identityRemoveDeprecatedAccountMonitoringEffect')]" 58 | }, 59 | "webAppRestrictCORSAccessMonitoringEffect": { 60 | "value": "[parameters('webAppRestrictCORSAccessMonitoringEffect')]" 61 | }, 62 | "vmssSystemUpdatesMonitoringEffect": { 63 | "value": "[parameters('vmssSystemUpdatesMonitoringEffect')]" 64 | }, 65 | "identityEnableMFAForReadPermissionsMonitoringEffect": { 66 | "value": "[parameters('identityEnableMFAForReadPermissionsMonitoringEffect')]" 67 | }, 68 | "identityEnableMFAForOwnerPermissionsMonitoringEffect": { 69 | "value": "[parameters('identityEnableMFAForOwnerPermissionsMonitoringEffect')]" 70 | }, 71 | "identityEnableMFAForWritePermissionsMonitoringEffect": { 72 | "value": "[parameters('identityEnableMFAForWritePermissionsMonitoringEffect')]" 73 | } 74 | }, 75 | "dependsOn": [], 76 | "displayName": "DoD Impact Level 4" 77 | }, 78 | "kind": "policyAssignment", 79 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/0bf6c09a-e68c-4874-bf64-a568d4f5bc21", 80 | "type": "Microsoft.Blueprint/blueprints/artifacts", 81 | "name": "4e8db8db-05a3-4595-aaae-efc24c749ad6" 82 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/758c7b68-2444-44ef-8b96-88697b685ac0.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforWindowsVMs_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Windows VMs" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/758c7b68-2444-44ef-8b96-88697b685ac0", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "758c7b68-2444-44ef-8b96-88697b685ac0" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/86379ec5-5137-4be8-924a-fdac61206823.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy Threat Detection on SQL servers" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/86379ec5-5137-4be8-924a-fdac61206823", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "86379ec5-5137-4be8-924a-fdac61206823" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/9f359831-fbfd-456d-ac61-7a949d067a55.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy default Microsoft IaaSAntimalware extension for Windows Server" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/9f359831-fbfd-456d-ac61-7a949d067a55", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "9f359831-fbfd-456d-ac61-7a949d067a55" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/a0601552-2ed7-439f-a2f2-104130d3a20f.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy network watcher when virtual networks are created" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/a0601552-2ed7-439f-a2f2-104130d3a20f", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "a0601552-2ed7-439f-a2f2-104130d3a20f" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/a76b04dc-bab8-4e73-9968-be509cfa88b6.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", 4 | "parameters": {}, 5 | "dependsOn": [], 6 | "displayName": "Deploy Advanced Data Security on SQL servers" 7 | }, 8 | "kind": "policyAssignment", 9 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/a76b04dc-bab8-4e73-9968-be509cfa88b6", 10 | "type": "Microsoft.Blueprint/blueprints/artifacts", 11 | "name": "a76b04dc-bab8-4e73-9968-be509cfa88b6" 12 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/ad448639-d7d1-4f19-a459-02a6883d3a50.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", 4 | "parameters": { 5 | "listOfAllowedLocations": { 6 | "value": "[parameters('listOfAllowedLocationsForResourcesAndResourceGroups')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed locations for resource groups" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/ad448639-d7d1-4f19-a459-02a6883d3a50", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "ad448639-d7d1-4f19-a459-02a6883d3a50" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/bcd7c4f1-5fed-4934-8e08-f76d0779ff27.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069", 4 | "parameters": { 5 | "logAnalytics": { 6 | "value": "[concat(subscription().id, '/resourceGroups/', concat(parameters('resourcePrefix'), '-sharedsvcs-rg'), '/providers/Microsoft.OperationalInsights/workspaces/', concat(parameters('resourcePrefix'), '-sharedsvcs-log'))]" 7 | }, 8 | "listOfImageIdToInclude": { 9 | "value": "[parameters('deployLogAnalyticsAgentforLinuxVMScaleSets_listOfImageIdToInclude')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "[Preview]: Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/bcd7c4f1-5fed-4934-8e08-f76d0779ff27", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "bcd7c4f1-5fed-4934-8e08-f76d0779ff27" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/bfb71af3-5e93-4fef-8d82-1268fbb70867.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036", 4 | "parameters": { 5 | "retentionDays": { 6 | "value": "[parameters('deployAuditingonSQLservers_retentionDays')]" 7 | }, 8 | "storageAccountsResourceGroup": { 9 | "value": "[parameters('deployAuditingonSQLservers_storageAccountsResourceGroup')]" 10 | } 11 | }, 12 | "dependsOn": [], 13 | "displayName": "Deploy Auditing on SQL servers" 14 | }, 15 | "kind": "policyAssignment", 16 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/0e6ae2e3-b1a4-4535-88e5-54560dd0e966", 17 | "type": "Microsoft.Blueprint/blueprints/artifacts", 18 | "name": "bfb71af3-5e93-4fef-8d82-1268fbb70867" 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/blueprint/artifacts/e2e95399-ff59-48b9-9985-504a5eedd7af.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", 4 | "parameters": { 5 | "listOfAllowedLocations": { 6 | "value": "[parameters('listOfAllowedLocationsForResourcesAndResourceGroups')]" 7 | } 8 | }, 9 | "dependsOn": [], 10 | "displayName": "Allowed locations" 11 | }, 12 | "kind": "policyAssignment", 13 | "id": "/providers/Microsoft.Blueprint/blueprints/bce24a0e-4bb8-45bd-b705-8493e0180a34/artifacts/e2e95399-ff59-48b9-9985-504a5eedd7af", 14 | "type": "Microsoft.Blueprint/blueprints/artifacts", 15 | "name": "e2e95399-ff59-48b9-9985-504a5eedd7af" 16 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/run-cleanup.ps1: -------------------------------------------------------------------------------- 1 | param( 2 | 3 | [Parameter(Mandatory=$true, HelpMessage='namePrefix')] 4 | [string] $namePrefix, 5 | [Parameter(Mandatory=$false, HelpMessage='asJob')] 6 | [switch] $asJob 7 | ) 8 | 9 | Get-AzResourceLock | Where-Object ResourceName -like "$namePrefix*" | Remove-AzResourceLock -Force 10 | 11 | if ($asJob) 12 | { 13 | Get-AzResourceGroup | Where-Object ResourceGroupName -like "$namePrefix*" | Remove-AzResourceGroup -Force -AsJob 14 | } 15 | else { 16 | Get-AzResourceGroup | Where-Object ResourceGroupName -like "$namePrefix*" | Remove-AzResourceGroup -Force 17 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/run.policy.template.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "policyAssignmentName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Specifies the name of the policy assignment." 9 | } 10 | }, 11 | "policyDefinitionID": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Specifies the ID of the policy definition or policy set definition being assigned." 15 | } 16 | }, 17 | "location": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Specifies the resource location for system assigned identity of the policy assignment." 21 | } 22 | }, 23 | "scope": { 24 | "type": "string", 25 | "defaultValue": "[subscription().id]", 26 | "metadata": { 27 | "description": "Specifies the scope of the where you want to assign the policy." 28 | } 29 | } 30 | }, 31 | "resources": [ 32 | { 33 | "type": "Microsoft.Authorization/policyAssignments", 34 | "name": "[parameters('policyAssignmentName')]", 35 | "apiVersion": "2018-05-01", 36 | "location": "[parameters('location')]", 37 | "identity": { 38 | "type": "SystemAssigned" 39 | }, 40 | "properties": { 41 | "scope": "[parameters('scope')]", 42 | "policyDefinitionId": "[parameters('policyDefinitionID')]" 43 | } 44 | } 45 | ] 46 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/scripts/DownloadPowerShellModules.ps1: -------------------------------------------------------------------------------- 1 | . "$PSScriptRoot/RequiredModules.ps1" 2 | 3 | $requiredModules = Get-RequiredModules 4 | 5 | # Install the required modules 6 | foreach($requiredModule in $requiredModules) { 7 | Install-module -Name $requiredModule.ModuleName -RequiredVersion $requiredModule.ModuleVersion -Force 8 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/scripts/RequiredModules.ps1: -------------------------------------------------------------------------------- 1 | function Get-RequiredModules { 2 | return @( 3 | @{ModuleName = 'AuditPolicyDsc'; ModuleVersion = '1.2.0.0'}, 4 | @{ModuleName = 'AuditSystemDsc'; ModuleVersion = '1.1.0'}, 5 | @{ModuleName = 'AccessControlDsc'; ModuleVersion = '1.4.0.0'}, 6 | @{ModuleName = 'ComputerManagementDsc'; ModuleVersion = '6.2.0.0'}, 7 | @{ModuleName = 'FileContentDsc'; ModuleVersion = '1.1.0.108'}, 8 | @{ModuleName = 'GPRegistryPolicyDsc'; ModuleVersion = '1.2.0'}, 9 | @{ModuleName = 'PSDscResources'; ModuleVersion = '2.10.0.0'}, 10 | @{ModuleName = 'SecurityPolicyDsc'; ModuleVersion = '2.4.0.0'}, 11 | @{ModuleName = 'SqlServerDsc'; ModuleVersion = '13.3.0'}, 12 | @{ModuleName = 'WindowsDefenderDsc'; ModuleVersion = '1.0.0.0'}, 13 | @{ModuleName = 'xDnsServer'; ModuleVersion = '1.11.0.0'}, 14 | @{ModuleName = 'xWebAdministration'; ModuleVersion = '2.5.0.0'}, 15 | @{ModuleName = 'cChoco'; ModuleVersion = '2.4.0.0'}, 16 | @{ModuleName = 'xPSDesiredStateConfiguration'; ModuleVersion = '9.1.0'} 17 | @{ModuleName = 'PowerSTIG'; ModuleVersion = '4.3.0'} 18 | ) 19 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/scripts/build.ps1: -------------------------------------------------------------------------------- 1 | . "$PSScriptRoot/RequiredModules.ps1" 2 | 3 | if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` 4 | [Security.Principal.WindowsBuiltInRole] "Administrator")) { 5 | throw "Insufficient permissions to run this script. Open the PowerShell console as an administrator and run this script again." 6 | } 7 | 8 | # We will output everything to the deployment root. 9 | $publicDirectory = "$PSScriptRoot\dependencies" 10 | 11 | # Bundle the Windows 2019 STIG DSC zip 12 | $windowsStigDscPackageRoot = "WindowsServer2019Workgroup" 13 | $windowsStigDscConfigFilename = "WindowsServer2019Workgroup.ps1" 14 | $windowsStigDscPackageRootPath = "$PSScriptRoot\source\$windowsStigDscPackageRoot" 15 | 16 | # Bundle the online STIG DSC zip 17 | New-Item -Path "$publicDirectory\online" -ItemType "directory" -ErrorAction SilentlyContinue 18 | Compress-Archive -Path "$windowsStigDscPackageRootPath\**" -DestinationPath "$publicDirectory\online\$windowsStigDscConfigFilename.zip" -Force 19 | 20 | # Bundle the offline STIG DSC zip 21 | $requiredModules = Get-RequiredModules 22 | $buildDirectory = "$PSScriptRoot\temp.usr" 23 | Remove-Item $buildDirectory -Recurse -Confirm:$false -Force -ErrorAction SilentlyContinue 24 | 25 | New-Item -Path $buildDirectory -ItemType "directory" 26 | Copy-Item -Path "$windowsStigDscPackageRootPath" -Destination "$buildDirectory" -Recurse 27 | 28 | foreach($requiredModule in $requiredModules) { 29 | $FullyQualifedName = @{ModuleName="$($requiredModule.ModuleName)";ModuleVersion="$($requiredModule.ModuleVersion)"} 30 | $ModulePath = (Get-Module -FullyQualifiedName $FullyQualifedName -ListAvailable)[0].ModuleBase | Split-Path 31 | Write-Verbose "Copying $ModulePath to build folder." 32 | Copy-Item -Path "$ModulePath" -Destination "$buildDirectory\$windowsStigDscPackageRoot" -Recurse 33 | } 34 | 35 | # Zip up the DSC package into the format expected by the DSC VM Extension 36 | New-Item -Path "$publicDirectory\offline" -ItemType "directory" -ErrorAction SilentlyContinue 37 | Compress-Archive -Path "$buildDirectory\$windowsStigDscPackageRoot\**" -DestinationPath "$publicDirectory\offline\$windowsStigDscConfigFilename.zip" -Force 38 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/scripts/dependencies/offline/apply-stigs.sh: -------------------------------------------------------------------------------- 1 | # set up variables needed 2 | workingFolder="/var/tmp/zta-files" 3 | archive="offline-zta.tar.gz" 4 | offlineRepoName="offline-zta-repo" 5 | stigFile="rhel7.sh" 6 | 7 | # create the working folder 8 | echo "..creating the working folder: $workingFolder" 9 | mkdir $workingFolder 10 | 11 | # uncompress the archive 12 | echo "..uncompressing archive to: $workingFolder" 13 | tar -xzvf "$archive" -C "$workingFolder" 14 | 15 | # create an entry for the repo 16 | echo "..creating repo file: /etc/yum.repos.d/$offlineRepoName.repo" 17 | cat > /etc/yum.repos.d/$offlineRepoName.repo<< EOF 18 | [offline-zta-repo] 19 | name=$offlineRepoName 20 | baseurl=file:///$workingFolder/$offlineRepoName 21 | enabled=0 22 | gpgcheck=1 23 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 24 | EOF 25 | 26 | # run the stig script 27 | echo "..executing stig script: $stigFile" 28 | bash "$stigFile" 29 | 30 | # remove the repo file and working folder 31 | echo "..stig script done. Time for cleanup" 32 | echo "..removing repo file: /etc/yum.repos.d/$offlineRepoName.repo" 33 | rm -f /etc/yum.repos.d/$offlineRepoName.repo 34 | echo "..removing working folder: $workingFolder" 35 | rm -r $workingFolder 36 | 37 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/scripts/dependencies/online/apply-stigs.sh: -------------------------------------------------------------------------------- 1 | stigFile="rhel7.sh" 2 | 3 | # run the stig script 4 | echo "..executing stig script: $stigFile" 5 | bash "$stigFile" 6 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/scripts/upload.ps1: -------------------------------------------------------------------------------- 1 | Param( 2 | [string] 3 | [Parameter(Mandatory = $true)] 4 | $ResourcePrefix, 5 | 6 | [string] 7 | $Region = "usgovarizona" 8 | ) 9 | 10 | function Create-ArtifactStorageAccount { 11 | param( 12 | [Parameter(Mandatory = $True)] 13 | [string] 14 | $ResourceGroupName, 15 | 16 | [Parameter(Mandatory = $True)] 17 | [string] 18 | $Region, 19 | 20 | [Parameter(Mandatory = $True)] 21 | [string] 22 | $artifactStorageAccountName 23 | ) 24 | 25 | $existingAccount = (Get-AzStorageAccount | Where-Object { $_.StorageAccountName -eq $artifactStorageAccountName }) 26 | 27 | if (!$existingAccount) { 28 | Write-Host "Creating a new artifact storage account $artifactStorageAccountName" 29 | $existingAccount = New-AzStorageAccount -ResourceGroupName $ResourceGroupName ` 30 | -Name $artifactStorageAccountName ` 31 | -Location $Region ` 32 | -SkuName Standard_GRS ` 33 | -Kind Storage ` 34 | -EnableHttpsTrafficOnly $true 35 | } 36 | else { 37 | Write-Host "Using existing artifact storage account $artifactStorageAccountName" 38 | } 39 | } 40 | 41 | function Upload-Artifacts { 42 | param( 43 | [Parameter(Mandatory = $True)] 44 | [string] 45 | $artifactStorageAccountName, 46 | 47 | [Parameter(Mandatory = $True)] 48 | [string] 49 | $containerName, 50 | 51 | [Parameter(Mandatory = $True)] 52 | [string] 53 | $LocalDirectoryToStage 54 | ) 55 | 56 | $storageAccount = (Get-AzStorageAccount | Where-Object { $_.StorageAccountName -eq $artifactStorageAccountName }) 57 | 58 | $Container = New-AzStorageContainer -Name $containerName -Context $storageAccount.Context -Permission Container -ErrorAction SilentlyContinue *>&1 59 | 60 | $FilesToStage = Get-ChildItem $LocalDirectoryToStage -Recurse -File 61 | Write-Host "Found $($FilesToStage.count) file(s) at path $LocalDirectoryToStage" 62 | 63 | foreach ($FileToStage in $FilesToStage) { 64 | # Keep the source folder structure 65 | $blobName = ($FileToStage.fullname.Substring($LocalDirectoryToStage.Length)).Replace("\", "/").trim("/") 66 | 67 | $BlobContent = Set-AzStorageBlobContent -File $FileToStage.FullName -Blob "$blobName" ` 68 | -Container $containerName ` 69 | -Context $storageAccount.Context ` 70 | -BlobType "Block" ` 71 | -Force 72 | } 73 | 74 | Write-Host "Uploaded $($FilesToStage.Count) file(s) to Container '$($containerName)' in Storage Account '$($artifactStorageAccountName)'." 75 | return $storageAccount.Context.BlobEndPoint + $containerName 76 | } 77 | 78 | 79 | $containerName = "artifacts" 80 | $artifactStorageAccountName = "$($ResourcePrefix)artifacts" 81 | $artifactResourceGroupName = "$($ResourcePrefix)-artifacts" 82 | $buildPath = "$PSScriptRoot\dependencies" 83 | 84 | # Create the artifact storage account and stage the deployment files 85 | New-AzResourceGroup -Name $artifactResourceGroupName -Location $Region -Verbose -Force 86 | Create-ArtifactStorageAccount -ArtifactStorageAccountName $artifactStorageAccountName -ResourceGroupName $artifactResourceGroupName -Region $Region 87 | $deploymentTemplateRoot = Upload-Artifacts -ArtifactStorageAccountName $artifactStorageAccountName -ContainerName $containerName -LocalDirectoryToStage $buildPath 88 | 89 | Write-Host $deploymentTemplateRoot 90 | 91 | 92 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-offline-v2/src/hub-shared-security-kv.ps1: -------------------------------------------------------------------------------- 1 | 2 | param( 3 | [string] 4 | [Parameter(Mandatory = $true)] $namePrefix, 5 | [string] 6 | [Parameter(Mandatory = $true)] $hubName, 7 | [string] 8 | [Parameter(Mandatory = $true)] $location 9 | ) 10 | 11 | $ErrorActionPreference = 'Stop' 12 | $DeploymentScriptOutputs = @{} 13 | 14 | $DeployPrefix = $namePrefix + '-' + $hubName 15 | $ResourceGroupName = $DeployPrefix + '-rg' 16 | $VaultName = $DeployPrefix + '-kv' 17 | $LocationName = $location 18 | 19 | $KeyName = $DeployPrefix + '-disk-encryption-key' 20 | $StorageAcctKeyName = $DeployPrefix + '-sa-diag-encryption-key' 21 | $DiskEncryptionSetName = $DeployPrefix + '-disk-encryption-set' 22 | $kekEncryptionUrlSecretName = 'disk-key-kek-kid' 23 | 24 | # Get KeyVault 25 | $kv = Get-AzKeyVault -Name $VaultName -ResourceGroupName $ResourceGroupName 26 | 27 | # Check if Disk Encryption Key exists 28 | $diskEncrptKey = ` 29 | (Get-AzKeyVaultKey ` 30 | -VaultName $VaultName ` 31 | -Name $KeyName ` 32 | -ErrorAction SilentlyContinue).Id; 33 | 34 | # Create New Disk Encryption Key 35 | if ($null -eq $diskEncrptKey) { 36 | $diskEncrptKey = (Add-AzKeyVaultKey ` 37 | -VaultName $VaultName ` 38 | -Name $KeyName ` 39 | -Destination 'HSM').Id; 40 | } 41 | 42 | # Check if Storage Account Encryption Key exists 43 | $storAcctKey = ` 44 | (Get-AzKeyVaultKey ` 45 | -VaultName $VaultName ` 46 | -Name $StorageAcctKeyName ` 47 | -ErrorAction SilentlyContinue).Id; 48 | 49 | # Create New Storage Account Encryption Key 50 | if ($null -eq $storAcctKey) { 51 | $storAcctKey = (Add-AzKeyVaultKey ` 52 | -VaultName $VaultName ` 53 | -Name $StorageAcctKeyName ` 54 | -Destination 'Software').Id; 55 | } 56 | 57 | # Get Disk Encryption Newly Created Key 58 | $diskEncrptKey = (Get-AzKeyVaultKey ` 59 | -VaultName $VaultName ` 60 | -Name $KeyName) 61 | 62 | # Update secret for KeK encryption with KV KeK URL 63 | $secretvalue = ConvertTo-SecureString $diskEncrptKey.Key.Kid -AsPlainText -Force 64 | $secret = Set-AzKeyVaultSecret -VaultName $VaultName -Name $kekEncryptionUrlSecretName -SecretValue $secretvalue 65 | 66 | # Create New Disk Encryption Set Config 67 | $desConfig = (New-AzDiskEncryptionSetConfig ` 68 | -Location $LocationName ` 69 | -SourceVaultId $kv.ResourceId ` 70 | -KeyUrl $diskEncrptKey.Key.Kid ` 71 | -IdentityType SystemAssigned) 72 | 73 | # Create New Disk Encryption Set 74 | $desEncrySet = (New-AzDiskEncryptionSet ` 75 | -Name $DiskEncryptionSetName ` 76 | -ResourceGroupName $ResourceGroupName ` 77 | -InputObject $desConfig) 78 | 79 | # Get newly created disk encryption Set 80 | $des = (Get-AzDiskEncryptionSet ` 81 | -ResourceGroupName $ResourceGroupName ` 82 | -Name $DiskEncryptionSetName) 83 | 84 | # Add the Disk Encryption Set Application to Key Vault Access Policy 85 | (Set-AzKeyVaultAccessPolicy ` 86 | -VaultName $VaultName ` 87 | -ObjectId $des.Identity.PrincipalId ` 88 | -PermissionsToKeys wrapkey, unwrapkey, get ` 89 | -BypassObjectIdValidation) 90 | 91 | # Encrypt Storage Account that is deployed in ZTA 92 | # Set Managed identity in storage account: 93 | foreach ($StorageAcctName in Get-AzStorageAccount -ResourceGroupName $ResourceGroupName | Select-Object StorageAccountName) { 94 | Write-Host $StorageAcctName.StorageAccountName 95 | 96 | $storageAccount = (Set-AzStorageAccount ` 97 | -ResourceGroupName $ResourceGroupName ` 98 | -Name $StorageAcctName.StorageAccountName ` 99 | -AssignIdentity) 100 | 101 | # Add Storage Account identity to KeyVault Access Policy 102 | (Set-AzKeyVaultAccessPolicy ` 103 | -VaultName $kv.VaultName ` 104 | -ObjectId $storageAccount.Identity.PrincipalId ` 105 | -PermissionsToKeys wrapkey, unwrapkey, get ` 106 | -BypassObjectIdValidation) 107 | 108 | # Get Storage Account Encryption Newly Created Key 109 | $storAcctKey = (Get-AzKeyVaultKey ` 110 | -VaultName $VaultName ` 111 | -Name $StorageAcctKeyName) 112 | 113 | # Encrypt the storage account with Key Vault Key 114 | (Set-AzStorageAccount -ResourceGroupName $ResourceGroupName ` 115 | -AccountName $StorageAcctName.StorageAccountName ` 116 | -KeyvaultEncryption ` 117 | -KeyName $storAcctKey.Name ` 118 | -KeyVersion $storAcctKey.Version ` 119 | -KeyVaultUri $kv.VaultUri) 120 | } 121 | 122 | # Now that all KV actions are done, remove the network access 123 | Update-AzKeyVaultNetworkRuleSet -VaultName $VaultName -DefaultAction Deny -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-v2/README.md: -------------------------------------------------------------------------------- 1 | # Instructions 2 | 3 | Following are the instructions to deploy artifacts included in the package, they may include- 4 | 5 | * Azure Policy and Policy-Set assignments. [More on Azure policies](https://docs.microsoft.com/en-us/azure/governance/policy/overview) 6 | 7 | * Azure RBAC (Role Based Access Control) assignments. [More on Azure RBAC](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview) 8 | 9 | * Resource Groups and Resources. [Learn more](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/overview#terminology) 10 | 11 | ## Prerequisites 12 | 13 | 1. An active Azure or Azure Government subscription (this is where audit policies and other resources will be deployed). 14 | 2. Owner level permissions on the management group and subscription. Keep ManagementGroupId or SubscriptionId handy. 15 | 3. All the files and sub directories in current directory. 16 | 17 | ## Azure Blueprint 18 | 19 | More on Azure Blueprint can be found [here](https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/lifecycle). In order to customize and assign blueprint we first need to import it into your Azure subscription, follow these steps to do so. 20 | 21 | ### Import via Azure CloudShell 22 | 23 | > [!TIP] 24 | > Alternatively you can execute same steps via PowerShell shell (min version 7.0.0) installed on local computer by connecting to target Azure Cloud environment and subscription context. [Learn how to](https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.6.1) 25 | 26 | 1. Open CloudShell in Azure Portal. [Learn how to](https://docs.microsoft.com/en-us/azure/cloud-shell/overview) 27 | 28 | 2. Launch PowerShell in Azure CloudShell. [Learn how to](https://docs.microsoft.com/en-us/azure/cloud-shell/overview#choice-of-preferred-shell-experience) 29 | > [!NOTE] 30 | > If you don't have any storage mounted, Azure CloudShell requires an Azure file share to persist files. This will create a new storage account. Click "Create Storage". 31 | 32 | 3. Run the following command to clone the Azure ato-toolkit repository to clouddrive. 33 | ```powershell 34 | git clone https://github.com/Azure/ato-toolkit.git $HOME/clouddrive/ato-toolkit 35 | ``` 36 | 37 | > [!TIP] 38 | > Run `dir $HOME/clouddrive` to verify content of directory. 39 | 40 | 4. Run the following commands to import the powershell module required to import the blueprint. Note: Commands may fail if module is already installed and imported. 41 | ```powershell 42 | Install-Module -Name Az.Blueprint 43 | Import-Module Az.Blueprint 44 | ``` 45 | 46 | 5. Run the following command to import artifacts as blueprint and save it within the specified subscription or management group. 47 | ```powershell 48 | Import-AzBlueprintWithArtifact -Name "YourBlueprintName" -SubscriptionId "00000000-1111-0000-1111-000000000000" -InputPath "$HOME/clouddrive/ato-toolkit/zero trust architecture blueprint/zero-trust-architecture-v2/blueprint" 49 | ``` 50 | 51 | > [!IMPORTANT] 52 | > Use -InputPath "$HOME/clouddrive/ato-toolkit/zero trust architecture blueprint/zero-trust-architecture-v2/blueprint_gov" for AzureUSGovernment environment. 53 | 54 | > [!NOTE] 55 | > The input path must point to the folder where blueprint.json file is placed. 56 | 57 | 6. From Azure Portal, browse to Azure Blueprint service tab and select "Blueprint definitions". You can review newly imported blueprint in there and follow instructions to edit, publish and assign blueprint. [Learn how to](https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal#edit-a-blueprint) 58 | 59 | ## Post blueprint assignment steps 60 | 61 | Blueprint creates virtual networks, configures routing and firewall rules and enables audit and diagnostic. Spoke resource group is not ready for you to deploy your application workloads. To enable centralized management and connectivity, subnets created in Hub resource group can be utilized to host Jumpbox, Azure Bastion Host and or other shared management services such as Active Directory. 62 | 63 | Please review all the Firewall and Network Security Group rules and make necessary customizations required to support your application workload. 64 | 65 | If more than one Spokes are needed for additional applications. Re-assign the blueprint or update the assignment by providing following parameter values. 66 | 67 | * Deploy Hub: false 68 | * Spoke Workload name: New name 69 | * Virtual Network address prefix: New value that will not create conflict with existing address prefixes. 70 | 71 | ## Feedback 72 | 73 | For more information, questions, or feedback please [contact us](https://aka.ms/zerotrust-blueprint-feedback). 74 | -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-v2/blueprint/artifacts/hub-shared-network-watcher.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "template": { 4 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 5 | "contentVersion": "1.0.0.0", 6 | "parameters": { 7 | "networkWatcherName": { 8 | "defaultValue": "[concat('NetworkWatcher_', parameters('networkWatcherLocation'))]", 9 | "type": "string", 10 | "metadata": { 11 | "displayName": "Network Watcher name", 12 | "description": "Name of the Network Watcher resource." 13 | } 14 | }, 15 | "networkWatcherLocation": { 16 | "defaultValue": "[resourceGroup().location]", 17 | "type": "string", 18 | "metadata": { 19 | "displayName": "Network Watcher location", 20 | "description": "Location of the Network Watcher resource." 21 | } 22 | }, 23 | "deployHub": { 24 | "type": "bool", 25 | "defaultValue": true, 26 | "metadata": { 27 | "displayName": "Deploy Hub", 28 | "description": "Deploy Hub." 29 | } 30 | } 31 | }, 32 | "variables": {}, 33 | "resources": [ 34 | { 35 | "type": "Microsoft.Network/networkWatchers", 36 | "apiVersion": "2020-06-01", 37 | "name": "[parameters('networkWatcherName')]", 38 | "location": "[parameters('networkWatcherLocation')]", 39 | "condition": "[parameters('deployHub')]", 40 | "tags": { 41 | "component": "hub-shared-network-vnet" 42 | }, 43 | "properties": {} 44 | } 45 | ], 46 | "outputs": {} 47 | }, 48 | "parameters": { 49 | "networkWatcherName": { 50 | "value": "[parameters('networkWatcherName')]" 51 | }, 52 | "networkWatcherLocation": { 53 | "value": "[parameters('networkWatcherLocation')]" 54 | }, 55 | "deployHub": { 56 | "value": "[parameters('deployHub')]" 57 | } 58 | }, 59 | "resourceGroup": "NetworkWatcherResourceGroup", 60 | "displayName": "Azure Network Watcher template", 61 | "description": "Azure Network Watcher template." 62 | }, 63 | "kind": "template", 64 | "id": "/providers/Microsoft.Blueprint/blueprints/c09d6b03-f048-4dd4-a5d9-46eda7e47ac4/artifacts/46d1d6ab-09b4-4cf2-87e7-fdf0516c932b", 65 | "type": "Microsoft.Blueprint/blueprints/artifacts", 66 | "name": "46d1d6ab-09b4-4cf2-87e7-fdf0516c932b" 67 | } -------------------------------------------------------------------------------- /zero trust architecture blueprint/zero-trust-architecture-v2/blueprint_gov/artifacts/hub-shared-network-watcher.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "template": { 4 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 5 | "contentVersion": "1.0.0.0", 6 | "parameters": { 7 | "networkWatcherName": { 8 | "defaultValue": "[concat('NetworkWatcher_', parameters('networkWatcherLocation'))]", 9 | "type": "string", 10 | "metadata": { 11 | "displayName": "Network Watcher name", 12 | "description": "Name of the Network Watcher resource." 13 | } 14 | }, 15 | "networkWatcherLocation": { 16 | "defaultValue": "[resourceGroup().location]", 17 | "type": "string", 18 | "metadata": { 19 | "displayName": "Network Watcher location", 20 | "description": "Location of the Network Watcher resource." 21 | } 22 | }, 23 | "deployHub": { 24 | "type": "bool", 25 | "defaultValue": true, 26 | "metadata": { 27 | "displayName": "Deploy Hub", 28 | "description": "Deploy Hub." 29 | } 30 | } 31 | }, 32 | "variables": {}, 33 | "resources": [ 34 | { 35 | "type": "Microsoft.Network/networkWatchers", 36 | "apiVersion": "2020-06-01", 37 | "name": "[parameters('networkWatcherName')]", 38 | "location": "[parameters('networkWatcherLocation')]", 39 | "condition": "[parameters('deployHub')]", 40 | "tags": { 41 | "component": "hub-shared-network-vnet" 42 | }, 43 | "properties": {} 44 | } 45 | ], 46 | "outputs": {} 47 | }, 48 | "parameters": { 49 | "networkWatcherName": { 50 | "value": "[parameters('networkWatcherName')]" 51 | }, 52 | "networkWatcherLocation": { 53 | "value": "[parameters('networkWatcherLocation')]" 54 | }, 55 | "deployHub": { 56 | "value": "[parameters('deployHub')]" 57 | } 58 | }, 59 | "resourceGroup": "NetworkWatcherResourceGroup", 60 | "displayName": "Azure Network Watcher template", 61 | "description": "Azure Network Watcher template." 62 | }, 63 | "kind": "template", 64 | "id": "/providers/Microsoft.Blueprint/blueprints/c09d6b03-f048-4dd4-a5d9-46eda7e47ac4/artifacts/46d1d6ab-09b4-4cf2-87e7-fdf0516c932b", 65 | "type": "Microsoft.Blueprint/blueprints/artifacts", 66 | "name": "46d1d6ab-09b4-4cf2-87e7-fdf0516c932b" 67 | } --------------------------------------------------------------------------------