Merge pull request #277474 from johnmarco/jm-arc-new-security-docs

Arc servers: New security section

Author: Jill Grant

articles/azure-arc/servers/agent-release-notes-archive.md

@@ -75,7 +75,7 @@ The Windows Admin Center in Azure feature is incompatible with Azure Connected M
 
 - The Linux installation script now downloads supporting assets with either wget or curl, depending on which tool is available on the system
 - [azcmagent connect](azcmagent-connect.md) and [azcmagent disconnect](azcmagent-disconnect.md) now accept the `--user-tenant-id` parameter to enable Lighthouse users to use a credential from their tenant and onboard a server to a different tenant.
-- You can configure the extension manager to run, without allowing any extensions to be installed, by configuring the allowlist to `Allow/None`. This supports Windows Server 2012 ESU scenarios where the extension manager is required for billing purposes but doesn't need to allow any extensions to be installed. Learn more about [local security controls](security-overview.md#local-agent-security-controls).
+- You can configure the extension manager to run, without allowing any extensions to be installed, by configuring the allowlist to `Allow/None`. This supports Windows Server 2012 ESU scenarios where the extension manager is required for billing purposes but doesn't need to allow any extensions to be installed. Learn more about [local security controls](security-extensions.md#local-agent-security-controls).
 
 ### Fixed
 
@@ -119,7 +119,7 @@ This endpoint will be removed from `azcmagent check` in a future release.
 ### Fixed
 
 - Fixed an issue that could cause a VM extension to disappear in Azure Resource Manager if it's installed with the same settings twice. After upgrading to agent version 1.33 or later, reinstall any missing extensions to restore the information in Azure Resource Manager.
-- You can now set the [agent mode](security-overview.md#agent-modes) before connecting the agent to Azure.
+- You can now set the [agent mode](security-extensions.md#agent-modes) before connecting the agent to Azure.
 - The agent now responds to instance metadata service (IMDS) requests even when the connection to Azure is temporarily unavailable.
 
 ## Version 1.32 - July 2023
@@ -221,7 +221,7 @@ Download for [Windows](https://download.microsoft.com/download/8/4/5/845d5e04-bb
 - The extension service now correctly restarts when the Azure Connected Machine agent is upgraded by Update Manager
 - Resolved issues with the hybrid connectivity component that could result in the "himds" service crashing, the server showing as "disconnected" in Azure, and connectivity issues with Windows Admin Center and SSH
 - Improved handling of resource move scenarios that could impact Windows Admin Center and SSH connectivity
-- Improved reliability when changing the [agent configuration mode](security-overview.md#local-agent-security-controls) from "monitor" mode to "full" mode.
+- Improved reliability when changing the [agent configuration mode](security-extensions.md#local-agent-security-controls) from "monitor" mode to "full" mode.
 - Increased the [resource limits](agent-overview.md#agent-resource-governance) for the Microsoft Sentinel DNS extension to improve log collection reliability
 - Tenant IDs are better validated when connecting the server
 
@@ -379,7 +379,7 @@ Download for [Windows](https://download.microsoft.com/download/2/5/6/25685d0f-28
 
 ### New features
 
-- You can configure the agent to operate in [monitoring mode](security-overview.md#agent-modes), which simplifies configuration of the agent for scenarios where you only want to use Arc for monitoring and security scenarios. This mode disables other agent functionality and prevents use of extensions that could make changes to the system (for example, the Custom Script Extension).
+- You can configure the agent to operate in [monitoring mode](security-extensions.md#agent-modes), which simplifies configuration of the agent for scenarios where you only want to use Arc for monitoring and security scenarios. This mode disables other agent functionality and prevents use of extensions that could make changes to the system (for example, the Custom Script Extension).
 - VMs and hosts running on Azure Stack HCI now report the cloud provider as "HCI" when [Azure benefits are enabled](/azure-stack/hci/manage/azure-benefits#enable-azure-benefits).
 
 ### Fixed
@@ -397,7 +397,7 @@ Download for [Windows](https://download.microsoft.com/download/a/3/4/a34bb824-d5
 
 - The default resource name for AWS EC2 instances is now the instance ID instead of the hostname. To override this behavior, use the `--resource-name PreferredResourceName` parameter to specify your own resource name when connecting a server to Azure Arc.
 - The network connectivity check during onboarding now verifies private endpoint configuration if you specify a private link scope. You can run the same check anytime by running [azcmagent check](azcmagent-check.md) with the new `--use-private-link` parameter.
-- You can now disable the extension manager with the [local agent security controls](security-overview.md#local-agent-security-controls).
+- You can now disable the extension manager with the [local agent security controls](security-extensions.md#local-agent-security-controls).
 
 ### Fixed
 
@@ -417,7 +417,7 @@ Download for [Windows](https://download.microsoft.com/download/e/a/4/ea4ea4a9-a9
 
 ### New features
 
-- You can now granularly control allowed and blocked extensions on your server and disable the Guest Configuration agent. See [local agent controls to enable or disable capabilities](security-overview.md#local-agent-security-controls) for more information.
+- You can now granularly control allowed and blocked extensions on your server and disable the Guest Configuration agent. See [local agent controls to enable or disable capabilities](security-extensions.md#local-agent-security-controls) for more information.
 
 ### Fixed
 

articles/azure-arc/servers/index.yml

@@ -21,6 +21,8 @@ landingContent:
             url: agent-overview.md
           - text: VMware FAQ
             url: vmware-faq.md
+          - text: Security overview
+            url: security-overview.md
 
       - linkListType: architecture
         links:

articles/azure-arc/servers/media/security-basics/connected-machine-agent-architecuture.png

@@ -34,7 +34,7 @@ You can use one of the [built-in roles](/azure/role-based-access-control/built-i
 
 ## Blocking run commands locally
 
-The Connected Machine agent supports local configurations that allow you to set an allowlist or a blocklist. See [Extension allowlists and blocklists](security-overview.md#extension-allowlists-and-blocklists) to learn more.
+The Connected Machine agent supports local configurations that allow you to set an allowlist or a blocklist. See [Extension allowlists and blocklists](security-extensions.md#allowlists-and-blocklists) to learn more.
 
 For Windows:
 

articles/azure-arc/servers/media/security-overview/access-control-page.png renamed to articles/azure-arc/servers/media/security-identity-authorization/access-control-page.png

@@ -0,0 +1,84 @@
+---
+title: Data and privacy
+description: Data and privacy for Arc-enabled servers.
+ms.topic: conceptual
+ms.date: 06/06/2024
+---
+
+# Data and privacy for Arc-enabled servers
+
+This article explains the data collection process by the Azure Connected Machine agent for Azure Arc-enabled servers, detailing how system metadata is gathered and sent to Azure. This article also describes the logging mechanisms available for Azure Arc-enabled servers, including the Azure Activity log for tracking server actions.
+
+## Information collected by Azure Arc
+
+As part of its normal operation, the Azure Connected Machine agent collects system metadata and sends it to Azure as part of its regular heartbeat. This metadata is populated in the Azure Arc-enabled server resource so you can identify and query your servers as part of your Azure inventory. Azure Arc collects no end user-identifiable data.
+
+See [instance metadata](/azure/azure-arc/servers/agent-overview#instance-metadata) for a complete list of metadata collected by Azure Arc. This list is regularly updated to reflect the data collected by the most recent release of the Azure Connected Machine agent. It's not possible to opt out of this data collection because it's used across Azure experiences to help filter and identify your servers.
+
+To collect cloud metadata, the Azure Connected Machine agent queries the instance metadata endpoints for AWS, GCP, Oracle Cloud, Azure Stack HCI and Azure. The agent checks if it’s in a cloud once, each time the "himds" service is started. Your security software may notice the agent reaching out to the following endpoints as part of that process: 169.254.169.254, 169.254.169.253, and metadata.google.internal.
+
+All data is handled according to [Microsoft’s privacy standards](https://www.microsoft.com/en-us/trust-center/privacy).
+
+## Data replication and disaster recovery
+
+Azure Arc-enabled servers is a software-as-a-service offering and handles data replication and disaster recovery preparation on your behalf. When you select the region to store your data, that data is automatically replicated to another region in that same geography to protect against a regional outage. In the event a region becomes unavailable, DNS records are automatically changed to point to the failover region. No action is required from you and your agents will automatically reconnect when the failover is complete.
+
+In some geographies, only one region supports Azure Arc-enabled servers. In these situations, data is still replicated for backup purposes to another region in that geography but won't be able to fail over to another region during an outage. You continue to see metadata in Azure from the last time your servers sent a heartbeat but  can't make changes or connect new servers until region functionality is restored. The Azure Arc team regularly considers region expansion opportunities to minimize the number of geographies in this configuration.
+
+## Compliance with regulatory standards
+
+Azure Arc is regularly audited for compliance with many global, regional, and industry-specific regulatory standards. A summary table of the compliance offerings is available at [https://aka.ms/AzureCompliance](https://aka.ms/AzureCompliance). 
+
+For more information on a particular standard and to download audit documents, see [Azure and other Microsoft cloud services compliance offerings](/azure/compliance/offerings/).
+
+## Azure Activity log
+
+You can use the Azure Activity log to track actions taken on an Azure Arc-enabled server. Actions like installing extensions on an Arc server have unique operation identifiers (all starting with “Microsoft.HybridCompute”) that you can use to filter the log. Learn more about the [Azure Activity Log](/azure/azure-monitor/essentials/activity-log-insights) and how to retain activity logs for more than 30 days by [sending activity log data](/azure/azure-monitor/essentials/activity-log?tabs=powershell) to Log Analytics. 
+
+## Local logs
+
+The Azure Connected Machine agent keeps a set of local logs on each server that may be useful for troubleshooting or auditing when the Arc agent made a change to the system. The fastest way to get a copy of all logs from a server is to run [azcmagent logs](/azure/azure-arc/servers/azcmagent-logs), which generates a compressed folder of all the latest logs for you.
+
+## HIMDS log
+
+The HIMDS log file contains all log data from the HIMDS service. This data includes heartbeat information, connection and disconnection attempts, and a history of REST API requests for IMDS metadata and managed identity tokens from other apps on the system.
+
+|OS  |Log location  |
+|---------|---------|
+|Windows |%PROGRAMDATA%\AzureConnectedMachineAgent\Log\himds.log |
+|Linux |/var/opt/azcmagent/log/himds.log |
+
+## azcmagent CLI log
+
+The azcmagent log file contains a history of commands run using the local “azcmagent” command line interface. This log provides the parameters used when connecting, disconnecting, or modifying the configuration of the agent.
+
+|OS  |Log location  |
+|---------|---------|
+|Windows |%PROGRAMDATA%\AzureConnectedMachineAgent\Log\azcmagent.log |
+|Linux |/var/opt/azcmagent/log/azcmagent.log |
+
+## Extension Manager log
+
+The extension manager log contains information about attempts to install, upgrade, reconfigure, and uninstall extensions on the machine.
+
+|OS  |Log location  |
+|---------|---------|
+|Windows |%PROGRAMDATA%\GuestConfig\ext_mgr_logs\gc_ext.log |
+|Linux |/var/lib/GuestConfig/ext_mgr_logs/gc_ext.log |
+
+Other logs may be generated by individual extensions. Logs for individual extensions aren't guaranteed to follow any standard log format.
+
+|OS  |Log location  |
+|---------|---------|
+|Windows |%PROGRAMDATA%\GuestConfig\extension_logs\* |
+|Linux |/var/lib/GuestConfig/extension_logs/* |
+
+## Machine Configuration log
+
+The machine configuration policy engine generates logs for the audit and enforcement of settings on the system.
+
+|OS  |Log location  |
+|---------|---------|
+|Windows |%PROGRAMDATA%\GuestConfig\arc_policy_logs\gc_agent.log |
+|Linux |/var/lib/GuestConfig/arc_policy_logs/gc_agent.log |
+