Automation - oWretch/policy GitHub Wiki
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Automation |
Automation Account should have Managed Identity Use Managed Identities as the recommended method for authenticating with Azure resources from the runbooks. Managed identity for authentication is more secure and eliminates the management overhead associated with using RunAs Account in your runbook code . |
Audit Disabled |
Audit Disabled |
|||||||
| Automation |
Automation account variables should be encrypted It is important to enable encryption of Automation account variable assets when storing sensitive data |
Deny Disabled Audit |
Deny Disabled Audit |
Audit Deny Disabled |
||||||
| Automation |
Automation accounts should disable public network access Disabling public network access improves security by ensuring that the resource isn't exposed on the public internet. You can limit exposure of your Automation account resources by creating private endpoints instead. Learn more at: https://docs.microsoft.com/azure/automation/how-to/private-link-security. |
Deny Disabled Audit |
||||||||
| Automation |
Azure Automation account should have local authentication method disabled Disabling local authentication methods improves security by ensuring that Azure Automation accounts exclusively require Azure Active Directory identities for authentication. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Automation |
Azure Automation accounts should use customer-managed keys to encrypt data at rest Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk. |
Deny Disabled Audit |
Deny Disabled Audit |
|||||||
| Automation |
Configure Azure Automation account to disable local authentication Disable local authentication methods so that your Azure Automation accounts exclusively require Azure Active Directory identities for authentication. |
Modify Disabled |
Modify Disabled |
|||||||
| Automation |
Configure Azure Automation accounts to disable public network access Disable public network access for Azure Automation account so that it isn't accessible over the public internet. This configuration helps protect them against data leakage risks. You can limit exposure of the your Automation account resources by creating private endpoints instead. Learn more at: https://aka.ms/privateendpoints. |
Modify Disabled |
Modify Disabled |
|||||||
| Automation |
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Automation |
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. |
DeployIfNotExists Disabled |
||||||||
| Automation |
Deploy Automation Account TotalJob Alert Policy to audit/deploy Automation Account TotalJob Alert |
deployIfNotExists disabled |
| Category | Policy | Platform | Landing Zones | Production | Decommissioned | Management | Corp | Connectivity | Sandbox | Identity |
|---|---|---|---|---|---|---|---|---|---|---|
| Automation |
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. |
azureAutomationWebhookPrivateDnsZoneId = --DNSZonePrefix--privatelink.azure-auto...
|
||||||||
| Automation |
Configure Azure Automation accounts with private DNS zones Use private DNS zones to override the DNS resolution for a private endpoint. You need private DNS zone properly configured to connect to Azure Automation account via Azure Private Link. Learn more at: https://aka.ms/privatednszone. |
azureAutomationDSCHybridPrivateDnsZoneId = --DNSZonePrefix--privatelink.azure-auto...
|
||||||||
| Automation |
Deploy Automation Account TotalJob Alert Policy to audit/deploy Automation Account TotalJob Alert |
AATotalJobAlertWindowSize = PT5MAATotalJobAlertAlertState = trueAATotalJobAlertEvaluationFrequency = PT1MAATotalJobAlertSeverity = 2AATotalJobAlertThreshold = 20
|