0
# Compliance and Governance
1
2
Comprehensive compliance and governance management for Azure Security Center, enabling regulatory compliance tracking, governance rule management, and compliance reporting across multiple industry standards and frameworks.
3
4
## Capabilities
5
6
### Regulatory Compliance Standards
7
8
Manage and track compliance with regulatory standards such as PCI DSS, SOC TSP, Azure CIS, and other industry frameworks.
9
10
```python { .api }
11
def list(
12
filter: Optional[str] = None,
13
**kwargs: Any
14
) -> Iterator[RegulatoryComplianceStandard]:
15
"""
16
List supported regulatory compliance standards.
17
18
Parameters:
19
- filter (str, optional): OData filter for results
20
21
Returns:
22
Iterator[RegulatoryComplianceStandard]: Iterator of compliance standards
23
"""
24
25
def get(
26
regulatory_compliance_standard_name: str,
27
**kwargs: Any
28
) -> RegulatoryComplianceStandard:
29
"""
30
Get details of a specific regulatory compliance standard.
31
32
Parameters:
33
- regulatory_compliance_standard_name (str): Name of the compliance standard
34
35
Returns:
36
RegulatoryComplianceStandard: Compliance standard details
37
"""
38
```
39
40
### Regulatory Compliance Controls
41
42
Manage compliance controls within regulatory standards.
43
44
```python { .api }
45
def list(
46
regulatory_compliance_standard_name: str,
47
filter: Optional[str] = None,
48
**kwargs: Any
49
) -> Iterator[RegulatoryComplianceControl]:
50
"""
51
List regulatory compliance controls for a specific standard.
52
53
Parameters:
54
- regulatory_compliance_standard_name (str): Name of the compliance standard
55
- filter (str, optional): OData filter for results
56
57
Returns:
58
Iterator[RegulatoryComplianceControl]: Iterator of compliance controls
59
"""
60
61
def get(
62
regulatory_compliance_standard_name: str,
63
regulatory_compliance_control_name: str,
64
**kwargs: Any
65
) -> RegulatoryComplianceControl:
66
"""
67
Get details of a specific regulatory compliance control.
68
69
Parameters:
70
- regulatory_compliance_standard_name (str): Name of the compliance standard
71
- regulatory_compliance_control_name (str): Name of the compliance control
72
73
Returns:
74
RegulatoryComplianceControl: Compliance control details
75
"""
76
```
77
78
### Regulatory Compliance Assessments
79
80
Manage compliance assessments that evaluate adherence to regulatory requirements.
81
82
```python { .api }
83
def list(
84
regulatory_compliance_standard_name: str,
85
regulatory_compliance_control_name: str,
86
filter: Optional[str] = None,
87
**kwargs: Any
88
) -> Iterator[RegulatoryComplianceAssessment]:
89
"""
90
List regulatory compliance assessments for a specific control.
91
92
Parameters:
93
- regulatory_compliance_standard_name (str): Name of the compliance standard
94
- regulatory_compliance_control_name (str): Name of the compliance control
95
- filter (str, optional): OData filter for results
96
97
Returns:
98
Iterator[RegulatoryComplianceAssessment]: Iterator of compliance assessments
99
"""
100
101
def get(
102
regulatory_compliance_standard_name: str,
103
regulatory_compliance_control_name: str,
104
regulatory_compliance_assessment_name: str,
105
**kwargs: Any
106
) -> RegulatoryComplianceAssessment:
107
"""
108
Get details of a specific regulatory compliance assessment.
109
110
Parameters:
111
- regulatory_compliance_standard_name (str): Name of the compliance standard
112
- regulatory_compliance_control_name (str): Name of the compliance control
113
- regulatory_compliance_assessment_name (str): Name of the compliance assessment
114
115
Returns:
116
RegulatoryComplianceAssessment: Compliance assessment details
117
"""
118
```
119
120
### Compliance Results
121
122
Access historical compliance results and compliance posture data.
123
124
```python { .api }
125
def list(
126
scope: str,
127
**kwargs: Any
128
) -> Iterator[ComplianceResult]:
129
"""
130
List compliance results for a specific scope.
131
132
Parameters:
133
- scope (str): Resource scope (subscription, resource group, or resource)
134
135
Returns:
136
Iterator[ComplianceResult]: Iterator of ComplianceResult objects
137
"""
138
139
def get(
140
scope: str,
141
compliance_result_name: str,
142
**kwargs: Any
143
) -> ComplianceResult:
144
"""
145
Get details of a specific compliance result.
146
147
Parameters:
148
- scope (str): Resource scope
149
- compliance_result_name (str): Name of the compliance result
150
151
Returns:
152
ComplianceResult: Compliance result details
153
"""
154
```
155
156
### Compliances
157
158
Manage overall compliance posture and compliance summaries.
159
160
```python { .api }
161
def list(
162
scope: str,
163
**kwargs: Any
164
) -> Iterator[Compliance]:
165
"""
166
List compliances for a specific scope.
167
168
Parameters:
169
- scope (str): Resource scope (subscription, resource group, or resource)
170
171
Returns:
172
Iterator[Compliance]: Iterator of Compliance objects
173
"""
174
175
def get(
176
scope: str,
177
compliance_name: str,
178
**kwargs: Any
179
) -> Compliance:
180
"""
181
Get details of a specific compliance.
182
183
Parameters:
184
- scope (str): Resource scope
185
- compliance_name (str): Name of the compliance
186
187
Returns:
188
Compliance: Compliance details
189
"""
190
```
191
192
### Governance Rules
193
194
Manage governance rules that define security governance policies and requirements.
195
196
```python { .api }
197
def list(
198
scope: str,
199
**kwargs: Any
200
) -> Iterator[GovernanceRule]:
201
"""
202
List governance rules for a specific scope.
203
204
Parameters:
205
- scope (str): Resource scope (management group or subscription)
206
207
Returns:
208
Iterator[GovernanceRule]: Iterator of GovernanceRule objects
209
"""
210
211
def get(
212
scope: str,
213
rule_id: str,
214
**kwargs: Any
215
) -> GovernanceRule:
216
"""
217
Get details of a specific governance rule.
218
219
Parameters:
220
- scope (str): Resource scope
221
- rule_id (str): ID of the governance rule
222
223
Returns:
224
GovernanceRule: Governance rule details
225
"""
226
227
def create_or_update(
228
scope: str,
229
rule_id: str,
230
governance_rule: GovernanceRule,
231
**kwargs: Any
232
) -> GovernanceRule:
233
"""
234
Create or update a governance rule.
235
236
Parameters:
237
- scope (str): Resource scope
238
- rule_id (str): ID of the governance rule
239
- governance_rule (GovernanceRule): Governance rule data
240
241
Returns:
242
GovernanceRule: Created or updated governance rule
243
"""
244
245
def delete(
246
scope: str,
247
rule_id: str,
248
**kwargs: Any
249
) -> None:
250
"""
251
Delete a governance rule.
252
253
Parameters:
254
- scope (str): Resource scope
255
- rule_id (str): ID of the governance rule
256
257
Returns:
258
None
259
"""
260
261
def operation_results(
262
scope: str,
263
rule_id: str,
264
operation_id: str,
265
**kwargs: Any
266
) -> OperationResult:
267
"""
268
Get the result of a governance rule operation.
269
270
Parameters:
271
- scope (str): Resource scope
272
- rule_id (str): ID of the governance rule
273
- operation_id (str): ID of the operation
274
275
Returns:
276
OperationResult: Operation result details
277
"""
278
```
279
280
### Governance Assignments
281
282
Manage governance assignments that apply governance rules to specific resources or scopes.
283
284
```python { .api }
285
def list(
286
scope: str,
287
assessment_name: str,
288
**kwargs: Any
289
) -> Iterator[GovernanceAssignment]:
290
"""
291
List governance assignments for a specific scope and assessment.
292
293
Parameters:
294
- scope (str): Resource scope
295
- assessment_name (str): Name of the assessment
296
297
Returns:
298
Iterator[GovernanceAssignment]: Iterator of GovernanceAssignment objects
299
"""
300
301
def get(
302
scope: str,
303
assessment_name: str,
304
assignment_key: str,
305
**kwargs: Any
306
) -> GovernanceAssignment:
307
"""
308
Get details of a specific governance assignment.
309
310
Parameters:
311
- scope (str): Resource scope
312
- assessment_name (str): Name of the assessment
313
- assignment_key (str): Key of the governance assignment
314
315
Returns:
316
GovernanceAssignment: Governance assignment details
317
"""
318
319
def create_or_update(
320
scope: str,
321
assessment_name: str,
322
assignment_key: str,
323
governance_assignment: GovernanceAssignment,
324
**kwargs: Any
325
) -> GovernanceAssignment:
326
"""
327
Create or update a governance assignment.
328
329
Parameters:
330
- scope (str): Resource scope
331
- assessment_name (str): Name of the assessment
332
- assignment_key (str): Key of the governance assignment
333
- governance_assignment (GovernanceAssignment): Assignment data
334
335
Returns:
336
GovernanceAssignment: Created or updated assignment
337
"""
338
339
def delete(
340
scope: str,
341
assessment_name: str,
342
assignment_key: str,
343
**kwargs: Any
344
) -> None:
345
"""
346
Delete a governance assignment.
347
348
Parameters:
349
- scope (str): Resource scope
350
- assessment_name (str): Name of the assessment
351
- assignment_key (str): Key of the governance assignment
352
353
Returns:
354
None
355
"""
356
```
357
358
### Custom Assessment Automations
359
360
Manage custom assessment automations for governance and compliance evaluation.
361
362
```python { .api }
363
def list_by_subscription(
364
**kwargs: Any
365
) -> Iterator[CustomAssessmentAutomation]:
366
"""
367
List custom assessment automations in the subscription.
368
369
Returns:
370
Iterator[CustomAssessmentAutomation]: Iterator of automation objects
371
"""
372
373
def list_by_resource_group(
374
resource_group_name: str,
375
**kwargs: Any
376
) -> Iterator[CustomAssessmentAutomation]:
377
"""
378
List custom assessment automations in a resource group.
379
380
Parameters:
381
- resource_group_name (str): Name of the resource group
382
383
Returns:
384
Iterator[CustomAssessmentAutomation]: Iterator of automation objects
385
"""
386
387
def get(
388
resource_group_name: str,
389
custom_assessment_automation_name: str,
390
**kwargs: Any
391
) -> CustomAssessmentAutomation:
392
"""
393
Get details of a custom assessment automation.
394
395
Parameters:
396
- resource_group_name (str): Name of the resource group
397
- custom_assessment_automation_name (str): Name of the automation
398
399
Returns:
400
CustomAssessmentAutomation: Automation details
401
"""
402
403
def create(
404
resource_group_name: str,
405
custom_assessment_automation_name: str,
406
custom_assessment_automation_body: CustomAssessmentAutomationRequest,
407
**kwargs: Any
408
) -> CustomAssessmentAutomation:
409
"""
410
Create a custom assessment automation.
411
412
Parameters:
413
- resource_group_name (str): Name of the resource group
414
- custom_assessment_automation_name (str): Name of the automation
415
- custom_assessment_automation_body (CustomAssessmentAutomationRequest): Automation data
416
417
Returns:
418
CustomAssessmentAutomation: Created automation
419
"""
420
421
def delete(
422
resource_group_name: str,
423
custom_assessment_automation_name: str,
424
**kwargs: Any
425
) -> None:
426
"""
427
Delete a custom assessment automation.
428
429
Parameters:
430
- resource_group_name (str): Name of the resource group
431
- custom_assessment_automation_name (str): Name of the automation
432
433
Returns:
434
None
435
"""
436
```
437
438
### Custom Entity Store Assignments
439
440
Manage custom entity store assignments for governance data management.
441
442
```python { .api }
443
def list_by_subscription(
444
**kwargs: Any
445
) -> Iterator[CustomEntityStoreAssignment]:
446
"""
447
List custom entity store assignments in the subscription.
448
449
Returns:
450
Iterator[CustomEntityStoreAssignment]: Iterator of assignment objects
451
"""
452
453
def list_by_resource_group(
454
resource_group_name: str,
455
**kwargs: Any
456
) -> Iterator[CustomEntityStoreAssignment]:
457
"""
458
List custom entity store assignments in a resource group.
459
460
Parameters:
461
- resource_group_name (str): Name of the resource group
462
463
Returns:
464
Iterator[CustomEntityStoreAssignment]: Iterator of assignment objects
465
"""
466
467
def get(
468
resource_group_name: str,
469
custom_entity_store_assignment_name: str,
470
**kwargs: Any
471
) -> CustomEntityStoreAssignment:
472
"""
473
Get details of a custom entity store assignment.
474
475
Parameters:
476
- resource_group_name (str): Name of the resource group
477
- custom_entity_store_assignment_name (str): Name of the assignment
478
479
Returns:
480
CustomEntityStoreAssignment: Assignment details
481
"""
482
483
def create(
484
resource_group_name: str,
485
custom_entity_store_assignment_name: str,
486
custom_entity_store_assignment_request_body: CustomEntityStoreAssignmentRequest,
487
**kwargs: Any
488
) -> CustomEntityStoreAssignment:
489
"""
490
Create a custom entity store assignment.
491
492
Parameters:
493
- resource_group_name (str): Name of the resource group
494
- custom_entity_store_assignment_name (str): Name of the assignment
495
- custom_entity_store_assignment_request_body (CustomEntityStoreAssignmentRequest): Assignment data
496
497
Returns:
498
CustomEntityStoreAssignment: Created assignment
499
"""
500
501
def delete(
502
resource_group_name: str,
503
custom_entity_store_assignment_name: str,
504
**kwargs: Any
505
) -> None:
506
"""
507
Delete a custom entity store assignment.
508
509
Parameters:
510
- resource_group_name (str): Name of the resource group
511
- custom_entity_store_assignment_name (str): Name of the assignment
512
513
Returns:
514
None
515
"""
516
```
517
518
## Types
519
520
```python { .api }
521
class RegulatoryComplianceStandard:
522
id: Optional[str]
523
name: Optional[str]
524
type: Optional[str]
525
state: Optional[str] # Passed, Failed, Skipped, Unsupported
526
passed_controls: Optional[int]
527
failed_controls: Optional[int]
528
skipped_controls: Optional[int]
529
unsupported_controls: Optional[int]
530
531
class RegulatoryComplianceControl:
532
id: Optional[str]
533
name: Optional[str]
534
type: Optional[str]
535
description: Optional[str]
536
state: Optional[str] # Passed, Failed, Skipped, Unsupported
537
passed_assessments: Optional[int]
538
failed_assessments: Optional[int]
539
skipped_assessments: Optional[int]
540
unsupported_assessments: Optional[int]
541
542
class RegulatoryComplianceAssessment:
543
id: Optional[str]
544
name: Optional[str]
545
type: Optional[str]
546
description: Optional[str]
547
assessment_type: Optional[str]
548
assessment_details_link: Optional[str]
549
state: Optional[str] # Passed, Failed, Skipped, Unsupported
550
passed_resources: Optional[int]
551
failed_resources: Optional[int]
552
skipped_resources: Optional[int]
553
unsupported_resources: Optional[int]
554
555
class ComplianceResult:
556
id: Optional[str]
557
name: Optional[str]
558
type: Optional[str]
559
resource_status: Optional[str] # Healthy, NotApplicable, OffByPolicy, Unhealthy
560
policy_definition_id: Optional[str]
561
policy_definition_name: Optional[str]
562
policy_definition_action: Optional[str]
563
policy_assignment_id: Optional[str]
564
policy_assignment_name: Optional[str]
565
policy_assignment_owner: Optional[str]
566
policy_assignment_parameters: Optional[Dict[str, Any]]
567
policy_assignment_scope: Optional[str]
568
policy_definition_reference_id: Optional[str]
569
compliance_state: Optional[str]
570
policy_evaluation_details: Optional[PolicyEvaluationDetails]
571
policy_definition_group_names: Optional[List[str]]
572
components_compliance_results: Optional[List[ComplianceResult]]
573
policy_definition_version: Optional[str]
574
policy_assignment_version: Optional[str]
575
576
class Compliance:
577
id: Optional[str]
578
name: Optional[str]
579
type: Optional[str]
580
assessment_timestamp_utc_date: Optional[datetime]
581
resource_count: Optional[int]
582
assessment_result: Optional[List[ComplianceSegment]]
583
584
class GovernanceRule:
585
id: Optional[str]
586
name: Optional[str]
587
type: Optional[str]
588
tenant_id: Optional[str]
589
display_name: Optional[str]
590
description: Optional[str]
591
remediation_timeframe: Optional[str]
592
is_graceful: Optional[bool]
593
rule_priority: Optional[int]
594
is_disabled: Optional[bool]
595
rule_type: Optional[str] # Integrated, ServiceNow
596
source_resource_type: Optional[str]
597
excluded_scopes: Optional[List[str]]
598
condition_sets: Optional[List[GovernanceRuleConditionSet]]
599
include_member_scopes: Optional[bool]
600
owner_source: Optional[GovernanceRuleOwnerSource]
601
governance_email_notification: Optional[GovernanceRuleEmailNotification]
602
metadata: Optional[GovernanceRuleMetadata]
603
604
class GovernanceAssignment:
605
id: Optional[str]
606
name: Optional[str]
607
type: Optional[str]
608
owner: Optional[str]
609
remediation_due_date: Optional[datetime]
610
remediation_eta: Optional[RemediationEta]
611
is_grace_period: Optional[bool]
612
governance_email_notification: Optional[GovernanceEmailNotification]
613
additional_data: Optional[Dict[str, str]]
614
615
class CustomAssessmentAutomation:
616
id: Optional[str]
617
name: Optional[str]
618
type: Optional[str]
619
system_data: Optional[SystemData]
620
compressed_query: Optional[str]
621
supported_cloud: Optional[str] # AWS, GCP
622
severity: Optional[str] # High, Medium, Low
623
display_name: Optional[str]
624
description: Optional[str]
625
remediation_description: Optional[str]
626
assessment_key: Optional[str]
627
628
class CustomEntityStoreAssignment:
629
id: Optional[str]
630
name: Optional[str]
631
type: Optional[str]
632
system_data: Optional[SystemData]
633
principal: Optional[str]
634
entity_type: Optional[str]
635
636
class ComplianceSegment:
637
segment_type: Optional[str]
638
percentage: Optional[float]
639
640
class PolicyEvaluationDetails:
641
evaluated_expressions: Optional[List[ExpressionEvaluationDetails]]
642
643
class GovernanceRuleConditionSet:
644
conditions: Optional[List[GovernanceRuleCondition]]
645
646
class GovernanceRuleOwnerSource:
647
type: Optional[str] # Manually, ByTag
648
value: Optional[str]
649
650
class GovernanceRuleEmailNotification:
651
disable_manager_email_notification: Optional[bool]
652
disable_owner_email_notification: Optional[bool]
653
654
class RemediationEta:
655
eta: Optional[datetime]
656
justification: Optional[str]
657
```
658
659
## Usage Examples
660
661
### Regulatory Compliance Monitoring
662
663
```python
664
from azure.identity import DefaultAzureCredential
665
from azure.mgmt.security import SecurityCenter
666
667
credential = DefaultAzureCredential()
668
client = SecurityCenter(credential, "subscription-id")
669
670
# Get all supported compliance standards
671
standards = client.regulatory_compliance_standards.list()
672
for standard in standards:
673
print(f"Standard: {standard.name}")
674
print(f"State: {standard.state}")
675
print(f"Passed: {standard.passed_controls}/{standard.passed_controls + standard.failed_controls}")
676
677
# Get failing controls for this standard
678
controls = client.regulatory_compliance_controls.list(
679
standard.name,
680
filter="properties/state eq 'Failed'"
681
)
682
683
for control in controls:
684
print(f" Failed Control: {control.description}")
685
print(f" Failed Assessments: {control.failed_assessments}")
686
687
# Get specific assessment details
688
assessments = client.regulatory_compliance_assessments.list(
689
standard.name,
690
control.name,
691
filter="properties/state eq 'Failed'"
692
)
693
694
for assessment in assessments:
695
print(f" Assessment: {assessment.description}")
696
print(f" Failed Resources: {assessment.failed_resources}")
697
```
698
699
### Governance Rule Management
700
701
```python
702
# Create a governance rule for high severity findings
703
governance_rule = {
704
"display_name": "Critical Security Findings",
705
"description": "Automatic assignment for critical security findings",
706
"remediation_timeframe": "7.00:00:00", # 7 days
707
"is_graceful": True,
708
"rule_priority": 100,
709
"is_disabled": False,
710
"rule_type": "Integrated",
711
"source_resource_type": "Assessments",
712
"condition_sets": [{
713
"conditions": [{
714
"property": "$.AssessmentDisplayName",
715
"value": "Critical",
716
"operator": "Contains"
717
}]
718
}],
719
"owner_source": {
720
"type": "ByTag",
721
"value": "SecurityOwner"
722
},
723
"governance_email_notification": {
724
"disable_manager_email_notification": False,
725
"disable_owner_email_notification": False
726
}
727
}
728
729
scope = "subscriptions/subscription-id"
730
rule = client.governance_rules.create_or_update(
731
scope,
732
"critical-findings-rule",
733
governance_rule
734
)
735
print(f"Created rule: {rule.display_name}")
736
737
# List all governance assignments
738
assignments = client.governance_assignments.list(
739
scope,
740
"assessment-name"
741
)
742
743
for assignment in assignments:
744
print(f"Assignment: {assignment.owner}")
745
print(f"Due Date: {assignment.remediation_due_date}")
746
print(f"Grace Period: {assignment.is_grace_period}")
747
```
748
749
### Custom Assessment Automation
750
751
```python
752
# Create custom assessment for governance
753
automation_request = {
754
"compressed_query": "base64-encoded-kql-query",
755
"supported_cloud": "AWS",
756
"severity": "High",
757
"display_name": "Custom AWS Security Assessment",
758
"description": "Custom assessment for AWS resource security",
759
"remediation_description": "Follow remediation steps to secure resources"
760
}
761
762
automation = client.custom_assessment_automations.create(
763
"security-rg",
764
"aws-security-assessment",
765
automation_request
766
)
767
print(f"Created automation: {automation.display_name}")
768
769
# List all automations
770
automations = client.custom_assessment_automations.list_by_subscription()
771
for auto in automations:
772
print(f"Automation: {auto.display_name}")
773
print(f"Cloud: {auto.supported_cloud}")
774
print(f"Severity: {auto.severity}")
775
```
776
777
### Compliance Results Analysis
778
779
```python
780
# Get compliance results for subscription
781
scope = "subscriptions/subscription-id"
782
results = client.compliance_results.list(scope)
783
784
compliant_resources = 0
785
non_compliant_resources = 0
786
787
for result in results:
788
if result.resource_status == "Healthy":
789
compliant_resources += 1
790
else:
791
non_compliant_resources += 1
792
793
print(f"Resource: {result.name}")
794
print(f"Policy: {result.policy_definition_name}")
795
print(f"Status: {result.resource_status}")
796
print(f"Compliance State: {result.compliance_state}")
797
798
compliance_percentage = (
799
compliant_resources / (compliant_resources + non_compliant_resources) * 100
800
)
801
print(f"Overall Compliance: {compliance_percentage:.1f}%")
802
```