Skip to content

Latest commit

 

History

History
86 lines (72 loc) · 2.68 KB

2.3. Governance - Azure Policies.md

File metadata and controls

86 lines (72 loc) · 2.68 KB
Raw

Microsoft Azure Policies

  • Configures what kind of resources can be deployed and managed
  • Ensures proper cloud governance by controlling resource deployment and usage.
    • ❗ Publishing requires Microsoft.Authorization/policyassigments/write permission.
  • The assigner is saved as assignedBy property.
  • Apply to new and existing resources.
    • Resources are scanned hourly for compliance with policies.

Policy types

  • Built-in policies
    • E.g.: Require SQL Server 12.0, Allowed Storage Account SKU, Allowed Resource Types, Allowed Locations, Allowed Virtual Machine SKUs, Apply tag and its default value, Enforce tag and its value, Not allowed resource types
  • Custom Policies

    • JSON format

      • Supports logical operations (or, allOf, noneOf) and if statements.

    • Used for granular resource control

      • E.g. limit load balancer creation to IT admins.

    • Can be create manually or by copying existing policy from e.g. GitHub.

      • E.g.
      {
  "policyRule": {
    "if": {
      "not": {
        "field": "location",
        "in": "[parameters('allowedLocations')]"
      }
    },
    "then": {
      "effect": "audit"
    },
    "parameters": {
      "allowedLocations": {
        "type": "Array",
        "metadata": {
          "description": "The list of allowed locations for resources",
          "displayName": "Allowed Locations",
          "strongType": "location"
        }
      }
    }
  }
}

Policy parameters

  • Passed to policy
  • Enable policy reuse
    • Fewer policies are required.
  • String or array

Policy Effects

  • Append: Resource policy additions, e.g. tags.
  • Audit: Logging only, generates a warning.
  • AuditIfNotExists: Enables audit if resource does not exists
  • Deny: Denies deployment
    • 💡 Existing non-compliant resources are marked but not deleted.
  • DeployIfNotExists: If resource does not exists, deploy it.

Management Groups

  • Organizes multiple subscriptions.
  • Up to 6 hierarchical levels.
  • Allows to assign policy groups
    • 💡 Subscriptions inherit settings
  • Facilitates RBAC
  • Subscriptions can be moved to other parts of hierarchy.

Policy exclusions

  • Called exclusion scopes
  • Policies can have exclusions in different scopes
  • Scopes can be e.g. resource groups in subscription, or VMs in resource groups.

Policy Initiative Definations

  • Groups policies into a single unit.
  • Used when a single Azure governance goal consists of multiple checks.
  • Can be assigned to resources/groups/subscriptions
  • E.g. Security Compliance
    1. Check for endpoint protection
    2. Check for VM disk encryption