Security policy updates

liorarviv · liorarviv · commit e91c3af54ac6 · 2024-05-06T10:24:00.000+03:00
Push updates to support the general availability release of security policies cross clouds.
diff --git a/articles/defender-for-cloud/manage-mcsb.md b/articles/defender-for-cloud/manage-mcsb.md
@@ -7,7 +7,7 @@ ms.date: 01/25/2022
 
 # Manage MCSB recommendations in Defender for Cloud
 
-Microsoft Defender for Cloud assesses resources against [security standards](security-policy-concept.md). By default, when you onboard Azure subscriptions to Defender for Cloud, the [Microsoft Cloud Security Benchmark (MCSB) standard](concept-regulatory-compliance.md) is enabled. Defender for Cloud starts assessing the security posture of your resource against controls in the MCSB standard, and issues security recommendations based on the assessments.
+Microsoft Defender for Cloud assesses resources against [security standards](security-policy-concept.md). By default, when you onboard cloud accounts to Defender for Cloud, the [Microsoft Cloud Security Benchmark (MCSB) standard](concept-regulatory-compliance.md) is enabled. Defender for Cloud starts assessing the security posture of your resource against controls in the MCSB standard, and issues security recommendations based on the assessments.
 
 This article describes how you can manage recommendations provided by MCSB.
 
@@ -31,14 +31,13 @@ To review which recommendations you can deny and enforce, in the **Security poli
 
 ## Manage recommendation settings
 
-You can enable/disable, deny and enforce recommendations.
-
 > [!NOTE]
-> If a recommendation is disabled, all of its subrecommendations are exempted.
+> - If a recommendation is disabled, all of its subrecommendations are exempted.
+> - **Disabled** and **Deny** effects are available for Azure environment only.
 
 1. In the Defender for Cloud portal, open the **Environment settings** page.
 
-1. Select the subscription or management group for which you want to manage MCSB recommendations.
+1. Select the cloud account or management account for which you want to manage MCSB recommendations.
 
 1. Open the **Security policies** page, and select the MCSB standard. The standard should be turned on.
 
@@ -105,4 +104,4 @@ This page explained security policies. For related information, see the followin
 - [Learn how to set policies using PowerShell](../governance/policy/assign-policy-powershell.md)
 - [Learn how to edit a security policy in Azure Policy](../governance/policy/tutorials/create-and-manage.md)
 - [Learn how to set a policy across subscriptions or on Management groups using Azure Policy](../governance/policy/overview.md)
-- [Learn how to enable Defender for Cloud on all subscriptions in a management group](onboard-management-group.md)
+- [Learn how to enable Defender for Cloud on all subscriptions in a management group](onboard-management-group.md)
diff --git a/articles/defender-for-cloud/security-policy-concept.md b/articles/defender-for-cloud/security-policy-concept.md
@@ -15,32 +15,38 @@ Security standards define rules, compliance conditions for those rules, and acti
 
 Security standards in Defender for Cloud come from these sources:
 
-- **Microsoft cloud security benchmark (MCSB)**: The MCSB standard is applied by default when you onboard Defender for Cloud to a management group or subscription. Your [secure score](secure-score-security-controls.md) is based on assessment against some MCSB recommendations.
+- **Microsoft cloud security benchmark (MCSB)**: The MCSB standard is applied by default when you onboard cloud accounts to Defender. Your [secure score](secure-score-security-controls.md) is based on assessment against some MCSB recommendations.
 
 - **Regulatory compliance standards**: When you enable one or more [Defender for Cloud plans](defender-for-cloud-introduction.md), you can add standards from a wide range of predefined regulatory compliance programs.
 
 - **Custom standards**: You can create custom security standards in Defender for Cloud, and then add built-in and custom recommendations to those custom standards as needed.
 
 Security standards in Defender for Cloud are based on [Azure Policy](../governance/policy/overview.md) [initiatives](../governance/policy/concepts/initiative-definition-structure.md) or on the Defender for Cloud native platform. Currently, Azure standards are based on Azure Policy. AWS and GCP standards are based on Defender for Cloud.
 
-Security standards in Defender for Cloud simplify the complexity of Azure Policy. In most cases, you can work directly with security standards and recommendations in the Defender for Cloud portal, without needing to directly configure Azure Policy.
-
 ### Working with security standards
 
 Here's what you can do with security standards in Defender for Cloud:
 
-- **Modify the built-in MCSB for the subscription**: When you enable Defender for Cloud, the MCSB is automatically assigned to all Defender for Cloud registered subscriptions.
+- **Modify the built-in MCSB for the subscription**: When you enable Defender for Cloud, the MCSB is automatically assigned to all Defender for Cloud registered subscriptions. [Learn more about managing the MCSB standard](manage-mcsb.md).
 
 - **Add regulatory compliance standards**: If you have one or more paid plans enabled, you can assign built-in compliance standards against which to assess your Azure, AWS, and GCP resources. [Learn more about assigning regulatory standards](update-regulatory-compliance-packages.yml).
 
-- **Add custom standards**: If you have at least one paid Defender plan enabled, you can define new [Azure standards](custom-security-policies.md) or [AWS/GCP standards](create-custom-recommendations.md) in the Defender for Cloud portal. You can then add recommendations to those standards.
+- **Add custom standards**: If you have at least one paid Defender plan enabled, you can define new [custom standards](custom-security-policies.md) and [custom recommendations](create-custom-recommendations.md) in the Defender for Cloud portal. You can then add recommendations to those standards.
 
-### Working with custom standards
+### Custom standards
 
 Custom standards appear alongside built-in standards in the **Regulatory compliance** dashboard.
 
 Recommendations derived from assessments against custom standards appear together with recommendations from built-in standards. Custom standards can contain built-in and custom recommendations.
 
+### Custom recommendations
+
+All customers with Azure subscriptions can create custom recommendations based on Azure Policy. With Azure Policy, you create a policy definition, assign it to a policy initiative, and merge that initiative and policy into Defender for Cloud.
+
+Custom recommendations based on Kusto Query Language (KQL) are available for all clouds, but require enabling the [Defender CSPM plan](concept-cloud-security-posture-management.md). With these recommendations, you specify a unique name, a description, steps for remediation, severity, and which standards the recommendation should be assigned to. You add recommendation logic with KQL. A query editor provides a built-in query template that you can tweak as needed, or you can write your KQL query from scratch.
+
+For more information, see [Create custom security standards and recommendations in Microsoft Defender for Cloud](create-custom-recommendations.md).
+
 ## Security recommendations
 
 Defender for Cloud periodically and continuously analyzes and assesses the security state of protected resources against  defined security standards, to identify potential security misconfigurations and weaknesses. Defender for Cloud then provides recommendations based on assessment findings.
@@ -65,13 +71,6 @@ The MCSB standard is an Azure Policy initiative that includes multiple complianc
 
 As Defender for Cloud continually assesses and finds resources that don't satisfy this control, it marks the resources as noncompliant and triggers a recommendation. In this case, guidance is to harden Azure Storage accounts that aren't protected with virtual network rules.
 
-### Custom recommendations
-
-All customers with Azure subscriptions can create custom recommendations based on Azure Policy. With Azure Policy, you create a policy definition, assign it to a policy initiative, and merge that initiative and policy into Defender for Cloud.
-
-Custom recommendations based on Kusto Query Language (KQL) are available for all clouds, but require enabling the [Defender CSPM plan](concept-cloud-security-posture-management.md). With these recommendations, you specify a unique name, a description, steps for remediation, severity, and which standards the recommendation should be assigned to. You add recommendation logic with KQL. A query editor provides a built-in query template that you can tweak as needed, or you can write your KQL query from scratch.
-
-For more information, see [Create custom security standards and recommendations in Microsoft Defender for Cloud](create-custom-recommendations.md).
 
 ## Next steps
 
diff --git a/articles/defender-for-cloud/update-regulatory-compliance-packages.yml b/articles/defender-for-cloud/update-regulatory-compliance-packages.yml
@@ -24,9 +24,9 @@ prerequisites:
     - You need `Owner` or `Policy Contributor` permissions to add a standard.
 procedureSection:
   - title: |
-      Assign a standard (Azure)
+      Assign a standard
     summary: |
-      **To assign regulatory compliance standards on Azure**:
+      **To assign regulatory compliance standards on cloud environment**:
     steps: 
       - |
         Sign in to the [Azure portal](https://portal.azure.com/).
@@ -37,7 +37,7 @@ procedureSection:
 
           :::image type="content" source="media/update-regulatory-compliance-packages/manage-compliance.png" alt-text="Screenshot of the regulatory compliance page that shows you where to select the manage compliance policy button." lightbox="media/update-regulatory-compliance-packages/manage-compliance.png":::
       - |
-        Select the subscription or management group on which you want to assign the security standard.
+        Select an account or management account (Azure subscription or nmanagement group, AWS account or management account, GCP project or organization) on which you want to assign the security standard.
 
           > [!NOTE]
           > We recommend selecting the highest scope for which the standard is applicable so that compliance data is aggregated and tracked for all nested resources.
@@ -51,54 +51,6 @@ procedureSection:
         If any information is needed in order to enable the standard, the **Set parameters** page appears for you to type in the information.
 
         The selected standard appears in **Regulatory compliance** dashboard as enabled for the subscription it was enabled on.
-  - title: |
-      Assign a standard (AWS)
-    summary: |
-      **To assign regulatory compliance standards on AWS accounts**:
-    steps: 
-      - |
-        Sign in to the [Azure portal](https://portal.azure.com/).
-      - |
-        Navigate to **Microsoft Defender for Cloud** > **Regulatory compliance**. For each standard, you can see the applied subscription.
-      - |
-        Select **Manage compliance policies**.
-      - |
-        Select the relevant AWS account.
-      - |
-        Select **Security policies**.
-      - |
-        In the **Standards** tab, select the three dots in the standard you want to assign > **Assign standard**.
-
-          :::image type="content" source="media/update-regulatory-compliance-packages/assign-standard-aws-from-list.png" alt-text="Screenshot that shows where to select a standard to assign." lightbox="media/update-regulatory-compliance-packages/assign-standard-aws-from-list.png":::
-      - |
-        At the prompt, select **Yes**. The standard is assigned to your AWS account.
-
-          :::image type="content" source="media/update-regulatory-compliance-packages/assign-standard-aws.png" alt-text="Screenshot of the prompt to assign a regulatory compliance standard to the AWS account." lightbox="media/update-regulatory-compliance-packages/assign-standard-aws.png":::
-
-        The selected standard appears in **Regulatory compliance** dashboard as enabled for the account.
-  - title: |
-      Assign a standard (GCP)
-    summary: |
-      **To assign regulatory compliance standards on GCP projects**:
-    steps:
-      - |
-        Sign in to the [Azure portal](https://portal.azure.com/).
-      - |
-        Navigate to **Microsoft Defender for Cloud** > **Regulatory compliance**. For each standard, you can see the applied subscription.
-      - |
-        Select **Manage compliance policies**.
-      - |
-        Select the relevant GCP project.
-      - |
-        Select **Security policies**.
-      - |
-        In the **Standards** tab, select the three dots alongside an unassigned standard and select **Assign standard**.
-
-          :::image type="content" source="media/update-regulatory-compliance-packages/assign-standard-gcp-from-list.png" alt-text="Screenshot that shows how to assign a standard to your GCP project." lightbox="media/update-regulatory-compliance-packages/assign-standard-gcp-from-list.png":::
-      - |
-        At the prompt, select **Yes**. The standard is assigned to your GCP project.
-
-        The selected standard appears in the **Regulatory compliance** dashboard as enabled for the project.
 
 relatedContent:
   - text: Create custom standards for Azure
@@ -109,4 +61,4 @@ relatedContent:
     url: regulatory-compliance-dashboard.md
 
 # - Create custom standards for [Azure](custom-security-policies.md), [AWS, and GCP](create-custom-recommendations.md).
-# - [Improve regulatory compliance](regulatory-compliance-dashboard.md)
+# - [Improve regulatory compliance](regulatory-compliance-dashboard.md)
