Defender for APIs is not enabled by default #1167
Comments
|
@robsissons-contino You can deploy your Defender for Cloud policies using custom configuration and then set the enable_defender_for_apis to false. This will give you the opportunity to create and assign a built-in policy in your alz deployment. See configuration in the link below. Deploy-Management-Resources-With-Custom-Settings Now, you need to create a custom policy assignment using the built-in policy name Configure Microsoft Defender for APIs plan specifically to MDFC for APIs. Follow the instruction provided in the link below to achieve this. In the meantime, I'm creating a PR for a new MDFC policy initiatives which will have below definition configuration with P1 plan as the default value. {
"policyDefinitionReferenceId": "defenderForAPIs",
"policyDefinitionId": "${root_scope_resource_id}/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-APIs",
"parameters": {
"effect": {
"value": "[parameters('enableAscForAPIs')]"
},
"subPlan": {
"value": "[parameters('enableAscForAPIsSubPlan')]"
}
},
"groupNames": []
}With that being said, once the PR is approved, you would have to create a directory lib in your alz root module and a file archetype_extension_es_root.tmpl.json under the lib directory and add below code to set the plan as needed to either of the allowed values " P1, P2, P3, P4, or P5". {
"extend_es_root": {
"policy_assignments": ["Deploy-MDFC-Config-H324"],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {
"Deploy-MDFC-Config-H324": {
"enableAscForAPIsSubPlan": "P1" //use either P1, P2, P3, P4, and P5 here
}
},
"access_control": {}
}
}
}Finally, you need to add library_path = "${path.root}/lib" to your module block. See below for example. module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}
root_parent_id = data.azurerm_client_config.core.tenant_id
root_id = "myorg"
root_name = "My Organization"
library_path = "${path.root}/lib"
}Hope that helps |
Community Note
Versions
terraform: 1.9.5
azure provider: 3.116.0
module: 6.1.0
Description
Describe the bug
Defender for cloud policy initiative does not enable "Defender for Apis".
Looks like there are multiple versions of the 'Deploy-MDFC-Config' initiative being worked on within the repository. The current version being assigned through the es_root archetype definition is definition "Deploy-MDFC-Config_20240319" which is deployed using the archetype assignment called "Deploy-MDFC-Config-H224".
This initiative does not currently include the built-in definition for deploying defender for API which results in Azure Security Benchmark policy compliance failing on a new ES deployment.
Steps to Reproduce
Screenshots
Additional context
It looks like the other version of these policies/assignments within the repo already have configuration to deploy and enable this feature (policySetDefinitions/Deploy-MDFC-Config) - can we migrate over so that this feature of Defender is enabled by default?
Also worth tidying up the multiple revisions of these policies?
Would have raised a PR but it looks like the work is done, just needs to be moved across?
The text was updated successfully, but these errors were encountered: