Skip to content

Commit bc0b62d

Browse files
authored
Merge pull request #219741 from kenieva/kenieva
Add support for DenyAction
2 parents 5656af4 + 48fde63 commit bc0b62d

File tree

4 files changed

+99
-21
lines changed

4 files changed

+99
-21
lines changed

articles/governance/policy/concepts/effects.md

Lines changed: 71 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ These effects are currently supported in a policy definition:
1818
- [Audit](#audit)
1919
- [AuditIfNotExists](#auditifnotexists)
2020
- [Deny](#deny)
21+
- [DenyAction (preview)](#denyaction-preview)
2122
- [DeployIfNotExists](#deployifnotexists)
2223
- [Disabled](#disabled)
2324
- [Manual (preview)](#manual-preview)
@@ -50,7 +51,10 @@ manages the evaluation and outcome and reports the results back to Azure Policy.
5051
Resource Manager mode.
5152
- **Deny** is then evaluated. By evaluating deny before audit, double logging of an undesired
5253
resource is prevented.
53-
- **Audit** is evaluated last.
54+
- **Audit** is evaluated.
55+
- **Manual** is evaluated.
56+
- **AuditIfNotExists** is evaluated.
57+
- **denyAction** is evaluated last.
5458

5559
After the Resource Provider returns a success code on a Resource Manager mode request,
5660
**AuditIfNotExists** and **DeployIfNotExists** evaluate to determine whether additional compliance
@@ -385,7 +389,7 @@ definitions as `constraintTemplate` is deprecated.
385389
- An _array_ of
386390
[Kubernetes namespaces](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
387391
to limit policy evaluation to.
388-
- An empty or missing value causes policy evaluation to include all namespaces, except those
392+
- An empty or missing value causes policy evaluation to include all namespaces, except the ones
389393
defined in _excludedNamespaces_.
390394
- **excludedNamespaces** (required)
391395
- An _array_ of
@@ -449,6 +453,70 @@ location of the Constraint template to use in Kubernetes to limit the allowed co
449453
}
450454
}
451455
```
456+
## DenyAction (preview)
457+
458+
`DenyAction` is used to block requests on intended action to resources. The only supported action today is `DELETE`. This effect will help prevent any accidental deletion of critical resources.
459+
460+
### DenyAction evaluation
461+
462+
When a request call with an applicable action name and targeted scope is submitted, `denyAction` prevents the request from succeeding. The request is returned as a `403 (Forbidden)`. In the portal, the Forbidden can be viewed as a status on the deployment that was prevented by the policy
463+
assignment.
464+
465+
`Microsoft.Authorization/policyAssignments`, `Microsoft.Authorization/denyAssignments`, `Microsoft.Blueprint/blueprintAssignments`, `Microsoft.Resources/deploymentStacks`, and `Microsoft.Authorization/locks` are all exempt from DenyAction enforcement to prevent lockout scenarios.
466+
467+
> [!NOTE]
468+
> Under preview, assignments with `denyAction` effect will show a `Not Started` compliance state.
469+
470+
#### Subscription deletion
471+
Policy won't block removal of resources that happens during a subscription deletion.
472+
473+
#### Resource group deletion
474+
Policy will evaluate resources that support location and tags against `DenyAction` policies during a resource group deletion. Only policies that have the `cascadeBehaviors` set to `deny` in the policy rule will block a resource group deletion. Policy won't block removal of resources that don't support location and tags nor any policy with `mode:all`.
475+
476+
#### Cascade deletion
477+
Cascade deletion occurs when deleting of a parent resource is implicitly deletes all its child resources. Policy won't block removal of child resources when a delete action targets the parent resources. For example, `Microsoft.Insights/diagnosticSettings` is a child resource of `Microsoft.Storage/storageaccounts`. If a `denyAction` policy targets `Microsoft.Insights/diagnosticSettings`, a delete call to the diagnostic setting (child) will fail, but a delete to the storage account (parent) will implicitly delete the diagnostic setting (child).
478+
479+
[!INCLUDE [policy-denyAction](../../../../includes/azure-policy-deny-action.md)]
480+
481+
### DenyAction properties
482+
483+
The **details** property of the DenyAction effect has all the subproperties that define the action and behaviors.
484+
485+
- **actionType** (required)
486+
- An _array_ that specifies what actions to prevent from being executed.
487+
- Supported action type is: `delete`.
488+
- **cascadeBehaviors** (optional)
489+
- An _object_ that defines what behavior will be followed when the resource is being implicitly deleted by the removal of a resource group.
490+
- Only supported for `mode:indexed`.
491+
- Allowed values are `allow` or `deny`.
492+
- Default value is `deny`.
493+
494+
### DenyAction example
495+
Example: Deny any delete calls targeting database accounts that have a tag environment that equals prod. Since cascade behavior is set to deny, block any DELETE call that targets a resource group with an applicable database account.
496+
497+
```json
498+
{
499+
"if": {
500+
"allOf": [
501+
{
502+
"field": "type",
503+
"equals": "Microsoft.DocumentDb/accounts"
504+
},
505+
{
506+
"field": "tags.environment",
507+
"equals": "prod"
508+
}
509+
]
510+
},
511+
"then": {
512+
"effect": "DenyAction",
513+
"details": {
514+
"actionNames": [ "delete" ],
515+
"cascadeBehaviors": { "resourceGroup": "deny" }
516+
}
517+
}
518+
}
519+
```
452520

453521
## DeployIfNotExists
454522

@@ -622,7 +690,7 @@ logs, and the policy effect don't occur. For more information, see
622690

623691
## Manual (preview)
624692

625-
The new `manual` (preview) effect enables you to self-attest the compliance of resources or scopes. Unlike other policy definitions that actively scan for evaluation, the Manual effect allows for manual changes to the compliance state. To change the compliance of a resource or scope targeted by a manual policy, you'll need to create an [attestation](attestation-structure.md). The [best practice](attestation-structure.md#best-practices) is to design manual policies that target the scope which defines the boundary of resources whose compliance need attesting.
693+
The new `manual` (preview) effect enables you to self-attest the compliance of resources or scopes. Unlike other policy definitions that actively scan for evaluation, the Manual effect allows for manual changes to the compliance state. To change the compliance of a resource or scope targeted by a manual policy, you'll need to create an [attestation](attestation-structure.md). The [best practice](attestation-structure.md#best-practices) is to design manual policies that target the scope that defines the boundary of resources whose compliance need attesting.
626694

627695
> [!NOTE]
628696
> During Public Preview, support for manual policy is available through various Microsoft Defender

articles/governance/policy/concepts/evaluate-impact.md

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,13 @@ ms.topic: conceptual
66
---
77
# Evaluate the impact of a new Azure Policy definition
88

9-
Azure Policy is a powerful tool for managing your Azure resources to business standards and to meet
9+
Azure Policy is a powerful tool for managing your Azure resources to meet business standards
1010
compliance needs. When people, processes, or pipelines create or update resources, Azure Policy
1111
reviews the request. When the policy definition effect is [Modify](./effects.md#modify),
1212
[Append](./effects.md#deny), or [DeployIfNotExists](./effects.md#deployifnotexists), Policy alters
1313
the request or adds to it. When the policy definition effect is [Audit](./effects.md#audit) or
1414
[AuditIfNotExists](./effects.md#auditifnotexists), Policy causes an Activity log entry to be created
15-
for new and updated resources. And when the policy definition effect is [Deny](./effects.md#deny),
16-
Policy stops the creation or alteration of the request.
15+
for new and updated resources. And when the policy definition effect is [Deny](./effects.md#deny) or [DenyAction](./effects.md#denyaction-preview), Policy stops the creation or alteration of the request.
1716

1817
These outcomes are exactly as desired when you know the policy is defined correctly. However, it's
1918
important to validate a new policy works as intended before allowing it to change or block work. The
@@ -110,8 +109,7 @@ setup appropriate
110109
[Azure Monitor alerts and notifications](../../../azure-monitor/alerts/alerts-overview.md) for
111110
when non-compliant devices are identified. It's also recommended to evaluate the policy definition
112111
and related assignments on a scheduled basis to validate the policy definition is meeting business
113-
policy and compliance needs. Policies should be removed if no longer needed. Policies also need
114-
updating from time to time as the underlying Azure resources evolve and add new properties and
112+
policy and compliance needs. Policies should be removed if no longer needed. Policies also need to update from time to time as the underlying Azure resources evolve and add new properties and
115113
capabilities.
116114

117115
## Next steps

articles/governance/policy/overview.md

Lines changed: 5 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ All Azure Policy data and objects are encrypted at rest. For more information, s
3636

3737
## Overview
3838

39-
Azure Policy evaluates resources in Azure by comparing the properties of those resources to business
39+
Azure Policy evaluates resources and actions in Azure by comparing the properties of those resources to business
4040
rules. These business rules, described in [JSON format](./concepts/definition-structure.md), are
4141
known as [policy definitions](#policy-definition). To simplify management, several business rules
4242
can be grouped together to form a [policy initiative](#initiative-definition) (sometimes called a
@@ -79,6 +79,7 @@ how an organization wants the platform to respond to a non-compliant resource in
7979
- Alter the resource before the change
8080
- Alter the resource after the change
8181
- Deploy related compliant resources
82+
- Block actions on resources
8283

8384
Azure Policy makes each of these business responses possible through the application of
8485
[effects](./concepts/effects.md). Effects are set in the **policy rule** portion of the
@@ -104,19 +105,12 @@ on Channel 9.
104105
### Azure Policy and Azure RBAC
105106

106107
There are a few key differences between Azure Policy and Azure role-based access control (Azure
107-
RBAC). Azure Policy evaluates state by examining properties on resources that are represented in
108-
Resource Manager and properties of some Resource Providers. Azure Policy doesn't restrict actions
109-
(also called _operations_). Azure Policy ensures that resource state is compliant to your business
110-
rules without concern for who made the change or who has permission to make a change. Some Azure
111-
Policy resources, such as [policy definitions](#policy-definition),
112-
[initiative definitions](#initiative-definition), and [assignments](#assignments), are visible to
113-
all users. This design enables transparency to all users and services for what policy rules are set
108+
RBAC). Azure Policy evaluates state by examining properties on resources that are represented in Resource Manager and properties of some Resource Providers. Azure Policy ensures that resource state is compliant to your business rules without concern for who made the change or who has permission to make a change. Azure Policy through DenyAction effect can also block certain actions on resources. Some Azure Policy resources, such as [policy definitions](#policy-definition), [initiative definitions](#initiative-definition), and [assignments](#assignments), are visible to all users. This design enables transparency to all users and services for what policy rules are set
114109
in their environment.
115110

116111
Azure RBAC focuses on managing user
117112
[actions](../../role-based-access-control/resource-provider-operations.md) at different scopes. If
118-
control of an action is required, then Azure RBAC is the correct tool to use. Even if an individual
119-
has access to perform an action, if the result is a non-compliant resource, Azure Policy still
113+
control of an action is required based on user information, then Azure RBAC is the correct tool to use. Even if an individual has access to perform an action, if the result is a non-compliant resource, Azure Policy still
120114
blocks the create or update.
121115

122116
The combination of Azure RBAC and Azure Policy provides full scope control in Azure.
@@ -185,9 +179,7 @@ settings and objects. To find out more, see
185179

186180
Here are a few pointers and tips to keep in mind:
187181

188-
- Start with an audit effect instead of a deny effect to track impact of your policy definition on
189-
the resources in your environment. If you have scripts already in place to autoscale your
190-
applications, setting a deny effect may hinder such automation tasks already in place.
182+
- Start with an `audit` or `auditIfNotExist` effect instead of an enforcement (`deny`, `modify`, `deployIfNotExist`) effect to track impact of your policy definition on the resources in your environment. If you have scripts already in place to autoscale your applications, setting an enforcement effect may hinder such automation tasks already in place.
191183

192184
- Consider organizational hierarchies when creating definitions and assignments. We recommend
193185
creating definitions at higher levels such as the management group or subscription level. Then,

includes/azure-policy-deny-action.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
---
2+
title: "include file"
3+
description: "include file"
4+
author: kenieva
5+
ms.service: azure-policy
6+
ms.topic: "include"
7+
ms.date: 11/28/2022
8+
ms.author: kenieva
9+
---
10+
11+
This table describes if a resource will be protected from deletion given the resource applicable to the assigned denyAction policy and the targeted scope of the DELETE call. In the context of this table, an indexed resource is one that supports tags and locations and a non-indexed resource is one that doesn't support tags or locations. For more information on indexed and non-indexed resources, reference [definition modes](../articles/governance/policy/concepts/definition-structure.md). Child resources are resources that exist only within the context of another resource. For example, a virtual machines extension resource is a child of the virtual machine, whom is the parent resource.
12+
13+
| Entity being deleted| Entity applicable to policy conditions | Action taken |
14+
|---|---|---|
15+
| Resource | Resource | Protected |
16+
| Subscription | Resource | Deleted |
17+
| Resource group | Indexed resource| Depends on `cascadeBehaviors` |
18+
| Resource group | Non indexed resource| Deleted |
19+
| Child resource | Parent resource | Parent is protected; child is deleted |
20+
| Parent resource | Child resource | Deleted |

0 commit comments

Comments
 (0)