sammyonyekwere/Identity-Governance-Automation
GitHub: sammyonyekwere/Identity-Governance-Automation
一个基于 Azure Bicep 的 IaC 方案,通过自动化 PIM、访问自审与日志告警实现身份治理与零信任防护。
Stars: 0 | Forks: 0
```markdown
[](https://github.com/sammyonyekwere/Identity-Governance-Automation/actions/workflows/deploy.yml)
[](https://opensource.org/licenses/MIT)
[](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/)
## 📖 执行摘要
This repository demonstrates an automated, secure Identity Governance lifecycle adhering to the principles of **Least Privilege** and **Zero Trust**.
Unlike manual role assignments, this project focuses on **dynamic governance**, utilizing Azure AD Privileged Identity Management (PIM) for temporal eligibility, enforcing compliance via Access Reviews, and monitoring for privilege escalations through Azure Monitor Activity Log Alerts.
## 🏗️ 架构
```
graph TD
subgraph "Azure Tenant / Microsoft Entra ID"
User((User))
Admin((Admin))
PIM[Privileged Identity Management]
Review[Access Reviews]
end
subgraph "Azure Subscription Environment"
RBAC[Subscription RBAC]
ActivityLog[Activity Log: Role Assignments]
end
subgraph "Azure Monitor / SecOps"
AlertRule[Activity Log Alert]
ActionGroup[Action Group: Email]
end
User -->|Requests Elevation| PIM
PIM -->|Grants Temporary Role| RBAC
Review -->|Audits Eligibility| PIM
Review -->|Revokes/Approves| RBAC
Admin -->|Manual Override/Write| RBAC
RBAC -.->|Triggers| ActivityLog
ActivityLog -.->|Evaluates| AlertRule
AlertRule -->|Notifies| ActionGroup
```
## 🛠️ 技术栈
* **Infrastructure as Code**: Azure Bicep (Modularized design)
* **Identity & Governance**:
* Microsoft Entra ID (Azure AD)
* Privileged Identity Management (PIM)
* Access Reviews
* **Monitoring & SecOps**:
* Azure Monitor (Activity Log Alerts)
* Azure Action Groups (Email Notifications)
## 📂 仓库结构
This project follows modular infrastructure practices:
```
/
├── modules/ # Reusable Bicep modules
│ ├── rbac-pim.bicep # Sets up Contributor eligibility via PIM
│ ├── access-reviews.bicep # Creates quarterly attestation reviews
│ └── alerts.bicep # Provisions privilege escalation alerts
├── main.bicep # Orchestrator for subscription deployment
└── README.md # System documentation
```
### 1. 特权身份管理 (PIM)
* **Temporary Elevation**: Standard, permanent role assignments (like Contributor) are shifted to "Eligible" assignments requiring deliberate, time-bound activation.
* **Least Privilege Enforcement**: By default, the eligibility lasts for 1 year and allows the user to assume the role only when needed.
### 2. 自动访问审查
* **Attestation**: Initiates a recurring Azure AD Access Review Schedule (Quarterly).
* **Justification Requirements**: Demands justification from assignees regarding why they still need elevated access to prevent privilege creep.
### 3. 特权升级警报
* **Continuous Monitoring**: Hooks into the `Microsoft.Authorization/roleAssignments/write` API event within Azure Monitor.
* **Instant Notifications**: An Action Group dispatches administrative email alerts detailing any persistent or newly created role assignments that bypass PIM.
## 📋 先决条件
* An Azure Subscription
* Azure CLI installed (`az login`)
* Owner or Role Based Access Control Administrator permissions over the Subscription (to assign PIM requests and create Access Reviews)
* Microsoft Entra ID P2 License (Required for PIM and Access Reviews functionality)
## 🚀 部署说明
**Option 1: One-Click Deploy (Local)**
```
# 克隆仓库
git clone https://github.com/sammyonyekwere/Identity-Governance-Automation.git
# 导航至目录
cd Identity-Governance-Automation
# 设置部署变量
PRINCIPAL_ID=""
ALERT_EMAIL=""
LOCATION="eastus"
# 部署 Bicep 模板
az deployment sub create \
--name "IdentityGovernanceDeployment" \
--location "$LOCATION" \
--template-file main.bicep \
--parameters principalId="$PRINCIPAL_ID" alertEmailAddress="$ALERT_EMAIL"
```
**Option 2: GitHub Actions (CI/CD)**
1. Fork this repository.
2. Configure Azure OIDC or Service Principal secrets (`AZURE_CLIENT_ID`, etc.) inside GitHub Settings.
3. Set GitHub repository secrets for `PRINCIPAL_ID` and `ALERT_EMAIL`.
4. Push to `main` to trigger the automated CI/CD workflow (if defined).
## 🗺️ 路线图
* [ ] Integration with **Azure Policy** to automatically block permanent role assignments entirely.
* [ ] Add **Terraform** alternative for multi-cloud platform deployments.
* [ ] Implement **multi-stage approval flows** for PIM role activation.
```
标签:Azure, Azure AD, Azure Bicep, Azure Monitor, EC2, GitHub Actions, IaC, JSONLines, Microsoft Entra ID, PIM, SecOps, 临时权限, 云安全架构, 动态权限, 最小权限, 权限提升监控, 活动日志告警, 特权身份管理, 自动化治理, 自动笔记, 访问审查, 语义网, 身份治理, 零信任