/GuardrailsSolutionAccelerator

This reference implementation is based on the 30-days guardrails requirements as part of the GC Cloud Operationalization Framework, it offers an automated way to verify if the department has implemented the recommended controls provided by Treasury Board of Canada Secretariat (TBS) and display the results in a comprehensive format.

Primary LanguagePowerShellMIT LicenseMIT

[ARCHIVED] Guardrails Solution Accelerator for Canadian Public Sector

This repository has been archived and is no longer maintained. An active version of the content has been moved to Shared Services Canada's GitHub at [https://github.com/ssc-spc-ccoe-cei/azure-guardrails-solution-accelerator(]https://github.com/ssc-spc-ccoe-cei/azure-guardrails-solution-accelerator)

Introduction 

The purpose of the reference implementation is to help Canadian Public Sector departments and agencies to identify and remediate the GC Cloud Guardrails to ensure on-going compliance with the Guardrails requirements.The GC Cloud Guardrails requirements can be found in the Canadian Governments public GitHub repository.  

Goals

Implementing the required GC Cloud Guardrails can take a considerable amount of time. This solution checks the environment for all 12 Cloud Guardrails Controls and provides guidance on what is required to remediate any that are non-compliant. The solution runs on an ongoing basis, ensuring that your environment continues to meet the baseline requirements.

Architecture

  1. The solution is deployed from the Azure Portal's cloud shell. After cloning the repository, some configuration needs to be done to the provided config.json file. Once triggered, the setup will deploy all the required components.

  2. Azure Automation will trigger the main runbook every 6 hours. It will fetch information from multiple sources (AAD, Azure Resources, Storage Account).

  3. The data is then stored into the local Log Analytics workspace.

  4. The data summary and details can be visualized using the provided Guardrails workbook.

  5. For multi-tenant scenarios, where the data collected by the Guardrails solution will be reported on by an entity from another Azure AD tenant, Azure Lighthouse can be used to delegate access to the managing tenant.

Setup

The setup document describing how to deploy the Guardrails Solution Accelerator can be found here: Setup

How it works

The solution has multiple modules, each module verifies specific set of settings in the environment and compares them with the required GC guardrails settings recommended by Treasury Board of Canada and Shared Services Canada. In order to understand what the modules are looking for please check the controls documents.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Telemetry

Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through customer usage attribution. The data is collected and governed by Microsoft's privacy policies, located at https://www.microsoft.com/trustcenter.

If you don't wish to send usage data to Microsoft, you can set the customerUsageAttribution.enabled setting to false in setup/IaC/modules/telemetry.json. Learn more in our Azure DevOps Pipelines onboarding guide.

Project Bicep collects telemetry in some scenarios as part of improving the product.

License

All files except for Super-Linter in the repository are subject to the MIT license.

Super-Linter in this project is provided as an example for enabling source code linting capabilities. It is subjected to the license based on it's repository.

Trademark

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.