Governance Policies Azure Management Automation - Azure/az-prototype GitHub Wiki
Governance policies for Automation
Domain: azure-management
| Name | Description |
|---|---|
| Automation account with managed identity and private endpoint | Secure Automation account with no public access, managed identity, and Log Analytics integration |
| Description | Instead |
|---|---|
| Do not use Run As accounts for runbook authentication | Use system-assigned managed identity with RBAC role assignments |
| Do not store secrets in plain-text Automation variables | Use encrypted variables or Key Vault references accessed via managed identity |
| Check | Severity | Description |
|---|---|---|
| AZ-AUTO-001 | Required | Deploy Azure Automation account with managed identity, disabled public access, and encryption |
| AZ-AUTO-002 | Required | Use managed identity for all runbook authentication instead of Run As accounts |
| AZ-AUTO-003 | Recommended | Link Automation account to Log Analytics workspace for job log aggregation |
| AZ-AUTO-004 | Recommended | Use encrypted Automation variables or Key Vault references for sensitive configuration |
Deploy Azure Automation account with managed identity, disabled public access, and encryption
Severity: Required
Rationale: Automation accounts execute privileged runbooks; managed identity eliminates Run As account credentials
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Automation/automationAccounts
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/privateEndpoints | pe-automation | Private endpoint for Automation account to secure webhook and DSC endpoints |
| Microsoft.Network/privateDnsZones | privatelink.azure-automation.net | Private DNS zone for Automation account private endpoint resolution |
| Microsoft.Insights/diagnosticSettings | diag-automation | Diagnostic settings to route job logs, DSC logs, and runbook output to Log Analytics |
| Microsoft.Authorization/roleAssignments | Automation Contributor | RBAC role assignment for automation account management |
Use managed identity for all runbook authentication instead of Run As accounts
Severity: Required
Rationale: Run As accounts use certificates that must be rotated; managed identity is automatic and auditable
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Automation/automationAccounts
Link Automation account to Log Analytics workspace for job log aggregation
Severity: Recommended
Rationale: Linked workspace enables centralized monitoring of runbook execution and failure analysis
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Automation/automationAccounts
Use encrypted Automation variables or Key Vault references for sensitive configuration
Severity: Recommended
Rationale: Plain-text variables are visible to account contributors; encrypted variables add a protection layer
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Automation/automationAccounts