Azure-docs: Azure Policy Regulatory Compliance controls for Azure Data Lake Storage Gen2 - not working

Created on 13 Oct 2020 · 9Comments · Source: MicrosoftDocs/azure-docs

Hi, i am CSS dev support engineer working for a cx case.

Cx is following the below documentation - https://docs.microsoft.com/en-us/azure/storage/blobs/security-controls-policy#hipaa-hitrust-92 for setting diagnostic logs audit policy on ADLS gen2 storage account.

while using the below template , it is working for gen1 account only for the Cx, but the public documentation states that it is for Gen2 - "Azure Policy Regulatory Compliance controls for Azure Data Lake Storage Gen2"

https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json

Cx - " When we applied the built in policy mentioned in the json ,the policy is only showing compliance checkup for Gen1 resource.
The json file contains the policy rule as below. Here resource showing as "Microsoft.DataLakeStore/accounts" but for gen2 it is a storage account. Please clarify."

"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.DataLakeStore/accounts"
},

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 871f0a7e-d3e0-3787-9482-91662e2b4e91
Version Independent ID: 3b0deb46-b3c8-b7e8-378d-2b575a1c7dd4
Content: Azure Policy Regulatory Compliance controls for Azure Data Lake Storage Gen2
Content Source: articles/storage/blobs/security-controls-policy.md
Service: storage
Sub-service: data-lake-storage-gen2
GitHub Login: @normesta
Microsoft Alias: normesta

Pri2 assigned-to-author data-lake-storage-gensubsvc doc-bug in-progress storagsvc triaged

Source

vsriram-binary

All 9 comments

@vsriram-binary Thanks for the question! We are investigating and will update you shortly.

CHEEKATLAPRADEEP-MSFT on 13 Oct 2020

@DCtheGeek can you help with this? I'm unfamiliar with these controls.

normesta on 13 Oct 2020

@normesta The list is everything that maps to Azure Policy Regulatory Compliance for the Microsoft.DataLakeStore RP. If that RP covers both "Gen1 and Gen2" or "only Gen1" we should probably update both the title of the page itself to properly reflect that as well as enhance the description of the definition itself. I'll start an internal email and add you to it.

DCtheGeek on 13 Oct 2020

Ok thank you @DCtheGeek! I'll await final confirmation. @vsriram-binary - we will keep you updated with what we learn. Thank you for raising this to our attention!

normesta on 13 Oct 2020

👍1

@vsriram-binary We've confirmed that Microsoft.DataLakeStore RP is for Gen1, so this is both in the wrong TOC and has the wrong title. I've submitted a PR to fix both issues. Once that PR is merged, this issue will automatically close. Publish to live will occur later. Thank you for pointing this out!

@MicrosoftDocs/azure-cxp-triage Please remove label 'product-issue' and add label 'doc-bug'. #in-progress

DCtheGeek on 16 Oct 2020

❤1

Thank you @DCtheGeek for the update. So for Customer's ask on diagnostic logs audit template for ADLS gen2 storage accounts - is it available?

vsriram-binary on 16 Oct 2020

@v-albemi Hi, can i know why this request is closed ? i was expecting a response from @DCtheGeek . Please advise.

vsriram-binary on 16 Oct 2020

@vsriram-binary

It appears that I merged the pull request, but it’s actually the commit that was merged in a different pull request. My understanding is that the commit exists in at 2 least PRs, and it was merged in one of the PRs that was signed off. (In MicrosoftDocs/azure-docs-pr#134207)

This is a GitHub technical issue and not something that PR reviewers can manually watch for or prevent, unfortunately. And I don't have a complete grasp of the situation. The solution might be to be careful to work on an article in only one working branch, one level down from master. If you need more technical help with this, the best place to go is the Docs Support channel in Teams

Thanks

v-albemi on 16 Oct 2020

@vsriram-binary Sorry! I didn't see your follow-up question and the PR I created was set to automatically close this GitHub Issue. @v-albemi _appears_ to have closed it, but that's because he merged my commit. :)

This issue should be closed as the incorrect page was updated, moved, and clarified to be specific to Gen1. If a built-in policy definition for Azure Storage does exist, it'll be documented in one of these places:

If the built-in doesn't exist, the recommendation is to build a custom definition. This tutorial is the best place to start. Thanks!

DCtheGeek on 16 Oct 2020

👍1

Was this page helpful?

0 / 5 - 0 ratings