Merge pull request #267561 from AlizaBernstein/WI-215990-release-deprecate-two-recom-over-provisioned-identities

prmerger-automator[bot] · web-flow · commit 688468b48926 · 2024-03-05T10:16:38.000Z
WI-215990-release-deprecate-two-recom-over-provisioned-identities
diff --git a/articles/defender-for-cloud/enable-permissions-management.md b/articles/defender-for-cloud/enable-permissions-management.md
@@ -132,7 +132,7 @@ The integration feature comes as part of Defender CSPM plan and doesn't require
 | Category  | Capabilities                                                 | Defender for Cloud | Permissions Management |
 | --------- | ------------------------------------------------------------ | ------------------ | ---------------------- |
 | Discover  | Permissions  discovery for risky identities (including unused identities, overprovisioned  active identities, super identities) in Azure, AWS, GCP | ✓                  | ✓                      |
-| Discover  | Permissions  Creep Index (PCI) for multicloud environments (Azure, AWS, GCP) and all  identities | ✓                  | ✓                      |
+| Discover  | Permissions  Creep Index (PCI) for multicloud environments (Azure, AWS, GCP) and all  identities | ❌                  | ✓                      |
 | Discover  | Permissions  discovery for all identities, groups in Azure, AWS, GCP | ❌                  | ✓                      |
 | Discover  | Permissions  usage analytics, role / policy assignments in Azure, AWS, GCP | ❌                  | ✓                      |
 | Discover  | Support  for Identity Providers (including AWS IAM Identity Center, Okta, GSuite) | ❌                  | ✓                      |
diff --git a/articles/defender-for-cloud/recommendations-reference.md b/articles/defender-for-cloud/recommendations-reference.md
@@ -1441,13 +1441,6 @@ Learn more in [Introduction to Microsoft Defender for Storage](/azure/defender-f
 
 **Severity**: Low
 
-### [Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/d103537b-9f3d-4658-a568-31dd66eb05cb)
-
-**Description**: Over-provisioned identities in subscription should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage
-(No related policy).
-
-**Severity**: Medium
-
 ### [Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/75396512-3323-9be4-059d-32ecb113c3de)
 
 **Description**: Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database.
@@ -2153,6 +2146,19 @@ Note that the following subnet types will be listed as not applicable: GatewaySu
 
 ## Deprecated recommendations
 
+### Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)
+
+**Description**: Over-provisioned identities in subscription should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage
+(No related policy).
+
+**Severity**: Medium
+
+### Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)
+
+**Description**: Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) and to safeguard your infrastructure. Reduce the PCI by removing the unused high risk permission assignments. High PCI reflects risk associated with the identities with permissions that exceed their normal or required usage.
+
+**Severity**: Medium
+
 ### Access to App Services should be restricted
 
 **Description & related policy**: Restrict access to your App Services by changing the networking configuration, to deny inbound traffic from ranges that are too broad.
diff --git a/articles/defender-for-cloud/release-notes.md b/articles/defender-for-cloud/release-notes.md
@@ -24,8 +24,21 @@ If you're looking for items older than six months, you can find them in the [Arc
 
 |Date | Update |
 |----------|----------|
+| March 5 | [Deprecation of two recommendations related to PCI](#deprecation-of-two-recommendations-related-to-pci) |
 | March 3 | [Defender for Cloud Containers Vulnerability Assessment powered by Qualys retirement](#defender-for-cloud-containers-vulnerability-assessment-powered-by-qualys-retirement) |
 
+### Deprecation of two recommendations related to PCI
+
+March 5, 2024
+
+The following two recommendations related to Permission Creep Index (PCI) are being deprecated:
+
+- Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI)
+- Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI)
+
+See the [list of deprecated security recommendations](recommendations-reference.md#deprecated-recommendations).
+
+
 ### Defender for Cloud Containers Vulnerability Assessment powered by Qualys retirement
 
 March 3, 2024
