Merge pull request #100888 from MicrosoftDocs/master

SyntaxC4 · web-flow · commit d5b1b617ea88 · 2020-01-11T13:50:46.000-08:00
Hotfix: Automation
diff --git a/articles/automation/TOC.yml b/articles/automation/TOC.yml
@@ -15,6 +15,8 @@
       displayName: certificate renewal
     - name: Configure authentication with AWS
       href: automation-config-aws-account.md
+    - name: Encryption of secure assets in Azure Automation
+      href: automation-secure-asset-encryption.md
     - name: Manage role-based access control
       href: automation-role-based-access-control.md
       displayName: RBAC
diff --git a/articles/automation/automation-secure-asset-encryption.md b/articles/automation/automation-secure-asset-encryption.md
@@ -0,0 +1,189 @@
+---
+title: Encryption of secure assets in automation
+description: Azure automation protects secure assets using multiple levels of encryption. By default, the encryption is done using Microsoft-managed keys. Customers can configure their automation accounts to use customer managed keys for encryption. This article describes the details of both modes of encryption and how you can switch between the two.
+services: automation
+ms.service: automation
+ms.subservice: process-automation
+author: snehithm
+ms.author: snmuvva
+ms.date: 01/11/2020
+ms.topic: conceptual
+manager: kmadnani
+---
+
+# Secure assets in Azure Automation
+
+Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. These assets are protected in Azure Automation using multiple levels of encryption. 
+Based on the top-level key used for the encryption, there are two models for encryption:
+-	Using Microsoft-managed keys
+-	Using customer-managed keys
+
+### Microsoft-managed Keys
+
+By default, your Azure Automation account uses Microsoft-managed keys.
+
+Each secure asset is encrypted and stored in Azure Automation using a unique key (Data Encryption key) that is generated for each automation account. These keys themselves are encrypted and stored in Azure Automation using yet another unique key that is generated for each account called an Account Encryption Key (AEK). These account encryption keys encrypted and stored in Azure Automation using Microsoft Managed Keys. 
+
+### Customer-managed Keys with Key Vault (preview)
+
+You can manage encryption of secure assets in Azure Automation at the level of an automation account with your own keys. When you specify a customer-managed key at the level of the Automation account, that key is used to protect and control access to the account encryption key for the automation account, which in turn is used to encrypt and decrypt all the secure assets. Customer-managed keys offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your secure assets. 
+
+You must use Azure Key Vault to store customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys.  For more information about Azure Key Vault, see [What is Azure Key Vault?](../key-vault/key-vault-overview.md)
+
+## Enable customer-managed keys for an Automation account
+
+When you enable encryption with customer-managed keys for an automation account, Azure Automation wraps the account encryption key with the customer-managed key in the associated key vault. Enabling customer-managed keys does not impact performance, and the account is encrypted with the new key immediately, without any time delay.
+
+A new automation account is always encrypted using Microsoft-managed keys. It's not possible to enable customer-managed keys at the time that the account is created. Customer-managed keys are stored in Azure Key Vault, and the key vault must be provisioned with access policies that grant key permissions to the managed identity that is associated with the automation account. The managed identity is available only after the storage account is created.
+
+When you modify the key being used for Azure Automation secure asset encryption by enabling or disabling customer-managed keys, updating the key version, or specifying a different key, then the encryption of the root key changes, but the secure assets in your Azure Automation account do not need to be re-encrypted.
+
+The following three sections describe the mechanics of enabling customer-managed keys for an Automation account. 
+
+> [!NOTE] 
+> To enable customer-managed keys, you will currently need to make Azure Automation REST APIs using api version 2020-01-13-preview
+
+### Pre-requisites for using Customer-managed keys in Azure Automation
+
+Before enabling customer-managed keys for an Automation account, you must ensure the following pre-requisites are met
+
+ - The customer-manged key is stored in an Azure Key Vault. 
+ - You must enable both the **Soft Delete** and **Do Not Purge** properties on the key vault. These features are required to allow for recovery of keys in case of accidental deletion.
+ - Only RSA keys are supported with Azure Automation encryption. For more information about keys, see [About Azure Key Vault keys, secrets, and certificates](../key-vault/about-keys-secrets-and-certificates.md#key-vault-keys).
+- The automation account and the key vault can be in different subscriptions but need to be in the same Azure Active Directory tenant.
+
+### Assign an identity to the automation account
+
+To use customer-managed keys with an automation account, your automation account needs to authenticate against the keyvault storing customer-managed keys. Azure Automation uses system assigned managed identities to authenticate the account with Key Vault. For more information about managed identities, see [What is managed identities for Azure resources?](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)
+
+Configure a system assigned managed identity to the automation account using the following REST API call
+
+```http
+PATCH https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview
+```
+Request body
+```json
+{ 
+ "identity": 
+ { 
+  "type": "SystemAssigned" 
+  } 
+}
+```    
+
+System assigned identity for the automation account is returned in the response
+
+```json
+{
+ "name": "automation-account-name",
+ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name",
+ ..
+ "identity": {
+    "type": "SystemAssigned",
+    "principalId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
+    "tenantId": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
+ },
+..
+}
+```
+
+### Configure the Key Vault access policy
+
+Once a managed identity is assigned to the Automation account, you configure access to the Key Vault storing customer managed Keys. Azure Automation requires **get**, **recover**, **wrapKey**, **UnwrapKey** on the customer managed keys.
+
+Such an access policy can be set using the following REST API call.
+
+```http
+PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/sample-group/providers/Microsoft.KeyVault/vaults/sample-vault/accessPolicies/add?api-version=2018-02-14
+```
+Request body
+
+```json
+{
+  "properties": {
+    "accessPolicies": [
+      {
+        "tenantId": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb",
+        "objectId": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
+        "permissions": {
+          "keys": [
+            "get",
+            "recover",
+            "wrapKey",
+            "unwrapKey"
+          ],
+          "secrets": [],
+          "certificates": []
+        }
+      }
+    ]
+  }
+}
+```
+
+> [!NOTE] 
+> The tenantId and objectId fields must be provided with values of identity.tenantId and identity.principalId from the response of managed identity for the automation account.
+
+### Change the configuration of automation account to use customer managed key
+
+Finally, you can switch your automation account from Microsft-managed keys to customer-managed keys, using the following REST API call.
+
+```http
+PATCH https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name?api-version=2020-01-13-preview
+```
+Request body
+
+```json
+ {
+    "properties": {
+      "encryption": {
+        "keySource": "Microsoft.Keyvault",
+        "keyvaultProperties": {
+          "keyName": "sample-vault-key",
+          "keyvaultUri": "https://sample-vault-key12.vault.azure.net",
+          "keyVersion": "7c73556c521340209371eaf623cc099d"
+        }
+      }
+    }
+  }
+```
+Sample response
+
+```json
+{
+  "name": "automation-account-name",
+  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resource-group-name/providers/Microsoft.Automation/automationAccounts/automation-account-name",
+  ..
+  "properties": {
+    ..
+    "encryption": {
+      "keyvaultProperties": {
+         "keyName": "sample-vault-key",
+          "keyvaultUri": "https://sample-vault-key12.vault.azure.net",
+          "keyVersion": "7c73556c521340209371eaf623cc099d"
+      },
+      "keySource": "Microsoft.Keyvault"
+    },
+    ..
+  }
+}
+```
+
+## Manage customer-managed keys lifecycle
+
+### Rotate customer-managed keys
+
+You can rotate a customer-managed key in Azure Key Vault according to your compliance policies. When the key is rotated, you must update the automation account to use the new key URI. 
+
+Rotating the key does not trigger re-encryption of data in the storage account. There is no further action required from the user.
+
+## Revoke access to customer-managed keys
+
+To revoke access to customer-managed keys, use PowerShell or Azure CLI. For more information, see [Azure Key Vault PowerShell](https://docs.microsoft.com/powershell/module/az.keyvault/) or [Azure Key Vault CLI](https://docs.microsoft.com/cli/azure/keyvault). Revoking access effectively blocks access to all data in the storage account, as the encryption key is inaccessible by Azure Storage.
+
+## Next steps
+
+- [What is Azure Key Vault?](../key-vault/key-vault-overview.md) 
+- [Certificate assets in Azure Automation](shared-resources/certificates.md)
+- [Credential assets in Azure Automation](shared-resources/credentials.md)
+- [Variable assets in Azure Automation](shared-resources/variables.md)
diff --git a/articles/virtual-machines/extensions/update-linux-agent.md b/articles/virtual-machines/extensions/update-linux-agent.md
@@ -3,7 +3,7 @@ title: Update the Azure Linux Agent from GitHub
 description: Learn how to update Azure Linux Agent for your Linux VM in Azure
 services: virtual-machines-linux
 documentationcenter: ''
-author: axayjo
+author: MicahMcKittrick-MSFT
 manager: gwallace
 editor: ''
 tags: azure-resource-manager,azure-service-management
@@ -14,7 +14,7 @@ ms.workload: infrastructure-services
 ms.tgt_pltfrm: vm-linux
 ms.topic: article
 ms.date: 08/02/2017
-ms.author: akjosh
+ms.author: mimckitt
 
 ---
 # How to update the Azure Linux Agent on a VM
@@ -86,77 +86,6 @@ initctl restart walinuxagent
 systemctl restart walinuxagent.service
 ```
 
-## Debian
-
-### Debian 7 “Wheezy”
-
-#### Check your current package version
-
-```bash
-dpkg -l | grep waagent
-```
-
-#### Update package cache
-
-```bash
-sudo apt-get -qq update
-```
-
-#### Install the latest package version
-
-```bash
-sudo apt-get install waagent
-```
-
-#### Enable agent auto update
-This version of Debian does not have a version >= 2.0.16, therefore AutoUpdate is not available for it. The output from the above command will show you if the package is up-to-date.
-
-### Debian 8 “Jessie” / Debian 9 “Stretch”
-
-#### Check your current package version
-
-```bash
-apt list --installed | grep waagent
-```
-
-#### Update package cache
-
-```bash
-sudo apt-get -qq update
-```
-
-#### Install the latest package version
-
-```bash
-sudo apt-get install waagent
-```
-#### Ensure auto update is enabled 
-
-First, check to see if it is enabled:
-
-```bash
-cat /etc/waagent.conf
-```
-
-Find 'AutoUpdate.Enabled'. If you see this output, it is enabled:
-
-```bash
-# AutoUpdate.Enabled=y
-AutoUpdate.Enabled=y
-```
-
-To enable run:
-
-```bash
-sudo sed -i 's/# AutoUpdate.Enabled=n/AutoUpdate.Enabled=y/g' /etc/waagent.conf
-```
-
-### Restart the waagent service
-
-```
-sudo systemctl restart walinuxagent.service
-```
-
 ## Red Hat / CentOS
 
 ### RHEL/CentOS 6
