Skip to content

Latest commit

 

History

History
28 lines (24 loc) · 3.04 KB

resources-allowed-locations.md

File metadata and controls

28 lines (24 loc) · 3.04 KB
Raw

CloudSploit

AZURE / Azure Policy / Resources Allowed Locations

Quick Info
Plugin Title Resources Allowed Locations
Cloud AZURE
Category Azure Policy
Description Ensures deployed resources and resource groups belong to the list set in the allowed locations for resource groups policy
More Info Setting allowed locations for a service helps ensure the service can only be deployed in expected locations.
AZURE Link https://docs.microsoft.com/en-us/azure/governance/policy/assign-policy-portal
Recommended Action Ensure that all services contain policy definitions that defined allowed locations.

Detailed Remediation Steps

  1. Log into the Microsoft Azure Management Console.
  2. Find the search bar at the top and search for Policy.
  3. On the "Policy" page, scroll down the left navigation panel and choose "Assignments" under "Authoring".
  4. On the "Policy - Assignments" page, check the "Policies" listed and if there are no "Policies" for "Resources Allowed Locations" then the selected "Assignment" don't have any "Resources Allowed Locations" policy.
  5. If there is no policy for "Resources Allowed Locations" then click on "Assign policy" at the top to create a new policy.
  6. On the "Assign Policy" page, under "Basics" tab, select "Scope" accordingly and click on the "..." dots icon next to "Policy definition".
  7. On the "Available Definitions" page, click on the "Search" box and search for "Resources Allowed Locations". Click the Policy Definition found and then click "Select" button at the bottom.
  8. Once back on the "Assign Policy" page, provide a "Description" and click on the "Next" button at the bottom. Now select "Allowed locations" on "Parameters" tab and click "Next" at the bottom.
  9. On the "Remediation" tab, click on the checkbox next to "Create a Managed Identity" and select desired "Managed Identity Location". Click "Review + create" button at the bottom.
  10. On the "Review + Create" tab, click "Create" button at the bottom to create the specific "Resources Allowed Locations" policy.
  11. Repeat steps number 6 - 10 to enable the built-in "Azure Policy definition: Audit Resources Allowed Locations" for all directories.