Azure Policy

Published by admin on

Azure Policy

An Azure policy is a rule that can be placed across management groups, resource groups, and resources to ensure that each respective environment is compliant with the organization’s standards.

This means that real-time action can be taken against non-compliant areas, whether that be completely preventing their addition to the Azure environment, placing an audit note to notify administrators, etc. A special feature here is the remediation task, which allows the use of an Azure Resource Manager template to automatically adjust given resources to fall under compliance. While this can be extremely useful when creating new resources, it is important to be cautious when implementing a remediation task against already existing resources as the adjustments may create major, unwanted changes in an organization’s Azure environment. Fortunately, if unintended changes do persist, the policy adjustments can be deleted through the Azure API/CLI and essentially revert the resources back.

A great benefit of policies is that they can be implemented at scale, so there is no need to repeat the same policies across several areas. Even at a large scale, there can be exclusions to policies that help place a more fine-grain control on the Azure environment.

Example

For the image below, I added an Azure policy that approved compliance for whether Cosmos DB accounts used customer-managed keys for data encryption. The opportunity to add these comes up when first creating a Cosmos DB resource, so I thought that it would be perfect to select the “Service-managed key” data encryption method instead, hoping that either 

  1. I wouldn’t be able to create the resource or 
  2. I’d get a non-compliant audit on the Policy dashboard. 

As expected, Azure found that the resource was non-compliant and sent an audit report. 

Update: In order to change the behavior of what happens to such resources, a parameter can be specified. The default parameter can also be adjusted in the template code for a policy definition.

The following options are supported for policy behaviors:

  • Append
  • Audit
  • AuditIfNotExists
  • Deny
  • DeployIfNotExists
  • Disabled
  • Modify
Categories: Cloud

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Cloud

Azure RBAC/ABAC

Azure RBAC/ABAC Role-Based Access Control (RBAC) Role-Based Access Control (RBAC) is a key aspect of Azure Identity and Access Management and allows roles to be assigned to users to determine their permissions across different cloud Read more…

Cloud

Azure Cloud Hierarchy

Azure Cloud Hierarchy Cloud governance is the rules, policies, and practices that help run an organization’s environment. This set of conditions helps an organization remain organized in several ways, from creating logical separations of resources Read more…

Cloud

Passing the AZ-900

Passing the AZ-900 The Azure Fundamentals exam, or AZ-900, is Microsoft’s introductory certification into the world of the Azure cloud platform. Preparing for it gives one an overview of several key cloud computing concepts and Read more…

css.php