Description

This policy ensures that an Azure activity log alert is created to detect delete policy assignment events. This helps to ensure that unauthorized users cannot delete policy assignments, which could have a negative impact on the security and compliance of the environment.

Rationale

Deleting a policy assignment can have a negative impact on the security and compliance of the environment. For example, if a policy assignment is deleted that enforces a security control, this could allow unauthorized users to access sensitive data or resources.

Impact

If this policy is not followed, there is a risk that unauthorized users could delete policy assignments, which could have a negative impact on the security and compliance of the environment.

Default Value

Azure will not create an activity log alert for delete policy assignment events by default.

Pre-requisites

  • Access to the Azure portal or the Azure CLI
  • Knowledge of how to create an Azure activity log alert

Remediation Steps

  1. Log in to the Azure portal.
  2. Go to the Monitor blade.
  3. Click Alerts.
  4. Click New alert rule.
  5. In the Scope section, select Policy Assignment as the resource type.
  6. In the Condition section, select Delete policy assignment as the signal.
  7. In the Actions section, select Send an email notification.
  8. Click Create.

Test Plan

  1. Verify that the activity log alert is created.
  2. Simulate a delete policy assignment event.
  3. Verify that the email notification is sent.

Implementation Plan

Azure Console

  1. Follow the remediation steps above.

Using Azure CLI

az monitor alert rule create \  --name "Delete Policy Assignment Alert" \  --resource-type "Microsoft.Authorization/policyAssignments" \  --condition "Microsoft.Authorization/policyAssignments/delete" \  --action "Send an email notification"

Backout Plan

  1. Delete the activity log alert.

Note

  • This policy is only applicable to Azure subscriptions that have the Activity Log feature enabled.
  • The email notification will be sent to the email address that is configured for the alert rule.

Reference

  • Azure Monitor activity log: https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log
  • Azure Monitor alert rules: https://docs.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-types

Section 2: Tags and Keywords

  • tags: azure, policy, compliance, security
  • keywords: delete, policy assignment, activity log alert