Merge pull request #212345 from timwarner-msft/timwarner-attarticle

Add new policy attestation article

Author: v-regandowner

articles/governance/policy/concepts/attestation-structure.md

@@ -0,0 +1,62 @@
+---
+title: Details of the Azure Policy attestation structure
+description: Describes the components of the Azure Policy attestation JSON object.
+ms.date: 09/23/2022
+ms.topic: conceptual
+ms.author: timwarner
+author: timwarner-msft
+---
+# Azure Policy attestation structure
+
+`Microsoft.PolicyInsights/attestations`, called an Attestation resource, is a new proxy resource type
+ that sets the compliance states for targeted resources in a manual policy. You can only have one
+ attestation on one resource for an individual policy. In preview, Attestations are available
+only through the Azure Resource Manager (ARM) API.
+
+Below is an example of creating a new attestation resource:
+
+```http
+PUT http://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/attestations/{name}?api-version=2019-10-01
+```
+
+## Request body
+
+Below is a sample attestation resource JSON object:
+
+```json
+"properties": {
+    "policyAssignmentId": "/subscriptions/{subscriptionID}/providers/microsoft.authorization/policyassignments/{assignmentID}",
+    "policyDefinitionReferenceId": "{definitionReferenceID}",
+    "complianceState": "Compliant",
+    "expiresOn": "2023-07-14T00:00:00Z",
+    "owner": "{AADObjectID}",
+    "comments": "This subscription has passed a security audit. See attached details for evidence",
+    "evidence": [
+        {
+          "description": "The results of the security audit.",
+          "sourceUri": "https://gist.github.com/contoso/9573e238762c60166c090ae16b814011"
+        },
+        {
+          "description": "Description of the attached evidence document.",
+          "sourceUri": "https://storagesamples.blob.core.windows.net/sample-container/contingency_evidence_adendum.docx"
+        },
+    ],
+}
+```
+
+|Property  |Description  |
+|---------|---------|
+|policyAssignmentId     |Required assignment ID for which the state is being set. |
+|policyDefinitionReferenceId     |Optional definition reference ID, if within a policy initiative. |
+|complianceState     |Desired state of the resources. Allowed values are `Compliant`, `NonCompliant`, and `Unknown`. |
+|owner     |Optional Azure AD object ID of responsible party. |
+|comments     |Optional description of why state is being set. |
+|evidence     |Optional link array for attestation evidence. |
+
+Because attestations are a separate resource from policy assignments, they have their own lifecycle. You can PUT, GET and DELETE attestations by using the ARM API. See the [Policy REST API Reference](/rest/api/policy) for more details.
+
+## Next steps
+
+- Review [Understanding policy effects](effects.md).
+- Study the [initiative definition structure](./initiative-definition-structure.md)
+- Review examples at [Azure Policy samples](../samples/index.md).

articles/governance/policy/concepts/effects.md

@@ -2,7 +2,7 @@
 title: Understand how effects work
 description: Azure Policy definitions have various effects that determine how compliance is managed and reported.
 author: timwarner-msft
-ms.date: 09/21/2022
+ms.date: 09/23/2022
 ms.topic: conceptual
 ms.author: timwarner
 ---
@@ -756,6 +756,23 @@ you'll need to create an attestation for that compliance state.
 > During Public Preview, support for manual policy is available through various Microsoft Defender
 > for Cloud regulatory compliance initiatives. If you are a Microsoft Defender for Cloud [Premium tier](https://azure.microsoft.com/pricing/details/defender-for-cloud/) customer, refer to their experience overview.
 
+Currently, the following regulatory policy initiatives include policy definitions containing the manual effect:
+
+- FedRAMP High
+- FedRAMP Medium
+- HIPAA
+- HITRUST
+- ISO 27001
+- Microsoft CIS 1.3.0
+- Microsoft CIS 1.4.0
+- NIST SP 800-171 Rev. 2
+- NIST SP 800-53 Rev. 4
+- NIST SP 800-53 Rev. 5
+- PCI DSS 3.2.1
+- PCI DSS 4.0
+- SOC TSP
+- SWIFT CSP CSCF v2022
+
 The following example targets Azure subscriptions and sets the initial compliance state to `Unknown`.
 
 ```json
@@ -794,51 +811,8 @@ When a policy definition with `manual` effect is assigned, you have the option t
 ### Attestations
 
 `Microsoft.PolicyInsights/attestations`, called an Attestation resource, is a new proxy resource type
- that sets the compliance states for targeted resources in a manual policy. You can only have one
- attestation on one resource for an individual policy. In preview, Attestations are available
-only through the Azure Resource Manager (ARM) API.
-
-Below is an example of creating a new attestation resource:
-
-```http
-PUT http://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/attestations/{name}?api-version=2019-10-01
-```
-
-#### Request body
-
-Below is a sample attestation resource JSON object:
-
-```json
-"properties": {
-    "policyAssignmentId": "/subscriptions/{subscriptionID}/providers/microsoft.authorization/policyassignments/{assignmentID}",
-    "policyDefinitionReferenceId": "{definitionReferenceID}",
-    "complianceState": "Compliant",
-    "expiresOn": "2023-07-14T00:00:00Z",
-    "owner": "{AADObjectID}",
-    "comments": "This subscription has passed a security audit. See attached details for evidence",
-    "evidence": [
-        {
-          "description": "The results of the security audit.",
-          "sourceUri": "https://gist.github.com/contoso/9573e238762c60166c090ae16b814011"
-        },
-        {
-          "description": "Description of the attached evidence document.",
-          "sourceUri": "https://storagesamples.blob.core.windows.net/sample-container/contingency_evidence_adendum.docx"
-        },
-    ],
-}
-```
-
-|Property  |Description  |
-|---------|---------|
-|policyAssignmentId     |Required assignment ID for which the state is being set. |
-|policyDefinitionReferenceId     |Optional definition reference ID, if within a policy initiative. |
-|complianceState     |Desired state of the resources. Allowed values are `Compliant`, `NonCompliant`, and `Unknown`. |
-|owner     |Optional Azure AD object ID of responsible party. |
-|comments     |Optional description of why state is being set. |
-|evidence     |Optional link array for attestation evidence. |
-
-Because attestations are a separate resource from policy assignments, they have their own lifecycle. You can PUT, GET and DELETE attestations by using the ARM API. See the [Policy REST API Reference](/rest/api/policy) for more details.
+ that sets the compliance states for targeted resources in a manual policy. Learn more about
+the attestation resource by reading [Azure Policy attestation structure](attestation-structure.md).
 
 ## Modify
 

articles/governance/policy/toc.yml

@@ -196,6 +196,9 @@
   - name: Policy applicability
     displayName: policy, applicability, scope
     href: ./concepts/policy-applicability.md
+  - name: Policy attestation
+    displayName: manual policy, compliance, attestation
+    href: ./concepts/attestation-structure.md
   - name: React to policy state change events
     displayName: event grid, subject, topic, subscription
     href: ./concepts/event-overview.md