Defender for APIs is not enabled by default #1167
Comments
|
@robsissons-contino You can deploy your Defender for Cloud policies using custom configuration and then set the enable_defender_for_apis to false. This will give you the opportunity to create and assign a built-in policy in your alz deployment. See configuration in the link below. Deploy-Management-Resources-With-Custom-Settings Now, you need to create a custom policy assignment using the built-in policy name Configure Microsoft Defender for APIs plan specifically to MDFC for APIs. Follow the instruction provided in the link below to achieve this. In the meantime, I'm creating a PR for a new MDFC policy initiatives which will have below definition configuration with P1 plan as the default value. {
"policyDefinitionReferenceId": "defenderForAPIs",
"policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-APIs",
"parameters": {
"effect": {
"value": "[parameters('enableAscForAPIs')]"
},
"subPlan": {
"value": "[parameters('enableAscForAPIsSubPlan')]"
}
},
"groupNames": []
}With that being said, once the PR is approved, you would have to create a directory lib in your alz root module and a file archetype_extension_es_root.tmpl.json under the lib directory and add below code to set the plan as needed to either of the allowed values " P1, P2, P3, P4, or P5". {
"extend_es_root": {
"policy_assignments": ["Deploy-MDFC-Config-H324"],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {
"Deploy-MDFC-Config-H324": {
"enableAscForAPIsSubPlan": "P1" //use either P1, P2, P3, P4, and P5 here
}
},
"access_control": {}
}
}
}Finally, you need to add library_path = "${path.root}/lib" to your module block. See below for example. module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}
root_parent_id = data.azurerm_client_config.core.tenant_id
root_id = "myorg"
root_name = "My Organization"
library_path = "${path.root}/lib"
}Hope that helps |
|
Fixed by #1201 |
|
Hello @matt-FFFFFF Even after upgrading to the november release (v6.2.0), we're still having this issue. I see that you refused the PR https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/pull/1178. What should we do to activate defender for APIs ? Thank you, |
|
Hi I closed that pr because all policies come from the Enterprise-Scale repo. Could you raise an issue there and also I'm sure they would appreciate a PR too! |
|
Hi @matt-FFFFFF Apologies but I am confused by the last comment where you advise that the policies come from the Enterprise-Scale repo. This is the ES repo we are discussing? It doesn't appear that the defender for APIs have been enabled in the latest release as expected, can you confirm if this is still being looked at? |
|
The repo upstream is Azure/Enterprise-Scale. This is where the policies come from so any changes would have to be made there first. |
|
Thanks @matt-FFFFFF for the speedy reponse. Apologies, I wasn't aware of the upstream repo being the owners of the policies deployed here - thanks for the info. Looking at the Azure/Enterprise-Scale repo, they have a definition which should do the trick - how do we go about requesting this being made live here?
|
Community Note
Versions
terraform: 1.9.5
azure provider: 3.116.0
module: 6.1.0
Description
Describe the bug
Defender for cloud policy initiative does not enable "Defender for Apis".
Looks like there are multiple versions of the 'Deploy-MDFC-Config' initiative being worked on within the repository. The current version being assigned through the es_root archetype definition is definition "Deploy-MDFC-Config_20240319" which is deployed using the archetype assignment called "Deploy-MDFC-Config-H224".
This initiative does not currently include the built-in definition for deploying defender for API which results in Azure Security Benchmark policy compliance failing on a new ES deployment.
Steps to Reproduce
Screenshots
Additional context
It looks like the other version of these policies/assignments within the repo already have configuration to deploy and enable this feature (policySetDefinitions/Deploy-MDFC-Config) - can we migrate over so that this feature of Defender is enabled by default?
Also worth tidying up the multiple revisions of these policies?
Would have raised a PR but it looks like the work is done, just needs to be moved across?
The text was updated successfully, but these errors were encountered: