Description:

An Activity Log Alert for Delete Policy Assignment ensures that any attempt to delete a Policy Assignment in your Azure environment triggers a notification. Azure Policy Assignments are used to enforce compliance by applying policies that control and audit resources in your environment. Deleting a Policy Assignment can have a significant impact on your governance and security posture, as it removes the enforcement of policies on the targeted resources. Monitoring and tracking such deletions is crucial to ensure that no critical policies are removed without proper authorization.

By creating an Activity Log Alert for Delete Policy Assignment actions, you can ensure that any deletion of policy assignments is tracked and responded to immediately.

Rationale:

By configuring an Activity Log Alert for Delete Policy Assignment actions, you can:

  • Monitor deletions of important Azure Policy Assignments that enforce security, compliance, and governance across your Azure resources.

  • Ensure that policy removals are tracked and authorized, preventing accidental or unauthorized changes.

  • Improve security by notifying administrators when a policy is removed, helping to ensure that compliance is maintained.

  • Support governance by ensuring that policy assignments critical to resource management are not deleted without due review.

Impact:

Configuring this Activity Log Alert ensures that you are notified immediately when a Policy Assignment is deleted, enabling quick action to restore the policy or investigate the reason for its removal. This ensures that security and compliance policies are consistently enforced. However, this could lead to a higher volume of alerts in environments with frequent policy updates or changes. It is essential to handle and manage these notifications appropriately.

Default Value:

By default, Activity Log Alerts for Delete Policy Assignment actions are not configured. You need to manually create and configure these alerts to track and respond to such events.

Pre-requisites:

  • Azure subscription.

  • Owner or Contributor role permissions to create Activity Log Alerts.

  • Azure Monitor enabled for logging.

  • Log Analytics workspace (optional, for storing telemetry data).

  • Azure Policy assigned to resources in your environment.

Audit:

  1. Sign in to Azure portal as an Owner, Contributor, or Monitoring Contributor.

  2. Navigate to Azure Monitor and review the Activity Log Alerts to ensure that alerts for Delete Policy Assignment actions are configured.

  3. Verify that the configured alert is properly notifying users when a Policy Assignment is deleted.

Implementation Steps (Automated):

  1. Sign in to Azure portal:

    • Use an account with Owner, Contributor, or Monitoring Contributor permissions.

  2. Navigate to Azure Monitor:

    • In the Azure portal, go to Azure Monitor and select Activity Log under Monitoring.

  3. Create a New Alert for Delete Policy Assignment:

    • In Activity Log Alerts, click on + New alert rule.

    • Under Scope, select your subscription or resource group.

    • Under Condition, choose Activity Log as the signal type.

    • Set the Event Category to Delete and the Resource Type to Microsoft.Authorization/policyAssignments.

    • Filter further by Operation Name: Delete Policy Assignment.

  4. Example of criteria:

    • Event Category: Delete

    • Operation Name: Delete Policy Assignment

    • Resource Type: Microsoft.Authorization/policyAssignments

  5. Set Up Action Group:

    • Under Action Group, either select an existing action group or create a new one to define how the alert will notify you (e.g., via Email, SMS, Webhook).

    • You can send notifications to security teams or policy administrators whenever a Policy Assignment is deleted.

  6. Review and Create:

    • Review the configuration and ensure the alert is set to notify you when a Policy Assignment is deleted.

    • Click Create to save the alert rule.

Automate Alert Creation Using Azure CLI: To automate the creation of an Activity Log Alert for Delete Policy Assignment using Azure CLI, run the following command:

az monitor activity-log alert create \

    --name "DeletePolicyAssignmentAlert" \

    --resource-group <Resource-Group-Name> \

    --condition "operationName == 'Delete Policy Assignment'" \

    --action-group <Action-Group-ID> \

    --description "Alert for deletion of Policy Assignment" \

    --enabled true

  1.  Replace <Resource-Group-Name> and <Action-Group-ID> with the appropriate values for your environment.

  2. Test the Alert:

    • After configuring the Activity Log Alert, test it by deleting a Policy Assignment and ensuring that the alert is triggered and the notification is sent to the designated recipients.

  3. Monitor and Review Alerts:

    • Use Azure Monitor to track the alert history and ensure that it is functioning as expected.

    • Review the alert history to verify that Policy Assignment deletions are being logged.

Backout Plan (Automated):

  1. Sign in to Azure portal:

    • Use an account with Owner, Contributor, or Monitoring Contributor permissions.

  2. Navigate to Azure Monitor:

    • Go to Azure Monitor in the Azure portal.

  3. Delete or Modify the Alert:

    • In Activity Log Alerts, locate the Delete Policy Assignment alert you created.

    • Select the alert and either delete it or modify its parameters as needed (e.g., change the notification action group, adjust alert criteria).

  4. Verify Alert Removal:

    • After removing or modifying the alert, ensure that it no longer triggers notifications for Delete Policy Assignment events.

  5. Test the Backout:

    • Test the configuration by deleting a Policy Assignment to ensure that the alert no longer triggers or functions as expected after the backout.

References: