As we figured out last week, Azure Role-Based Access Control (RBAC) is a very important thing, when it comes to the Management of Microsoft Azure. But there is another important feature you should know to keep control: Azure Policy
Problems with RBAC
Remember the function of RBAC, where Security Principal, Role and Scope meet each other and define you final set of rights:
If you think about this, you will figure out that you still may have an issue. If a user has the right to create VMs … he can create any VM he wants, in any region he wants. And as we know, VMs in Azure can cost 80$ a month or for the larger sizes go up to 200.000$ a month. So you may wish to have a solution for this.
Another problem is that you can control what a user can do, but not really how a resource looks like. So people with the right role can create Storage accounts, but nobody is forcing to set https as required. Admins with the respective role can create VMs but they may forget to add a backup. Also you cannot define how the “inside-configuration” of a VM looks like. Network Admins may create a Public IP, but assign it to internal systems by accident.
These are things you cannot solve with roles, scopes or security principals … this is the moment when you start to love Azure Policy capabilities…
What is Azure Policy?!
Azure policy is the default allow and explicit deny system in Azure. It focuses on the resource properties of a resource, like:
related services like backup and monitoring
So it is the perfect addition to RBAC … as RBAC gives you explicit access … Policy defines the configurations you can to and which one are not allowed.
So very common Policies are:
Allowed VM Sizes
Enable Security Center
Apply specific Tags
How are Azure Policies created?!
If you want to manage your Azure Policies you can do this via the Azure Portal, via CLI or PowerShell or even via CI/CD or Blueprints. So you can see there are multiple options. As this is a basic article, let’s try the easy way through the portal.
You can find the “Policy” view in the Azure Portal. Here you can see a compliance overview across all your subscriptions and resources. There are some default policies like the “ASC Default” which are set by and for Azure Security Center.
Azure Policy works with Definitions and Assignments. Definitions can be grouped together to Initiatives. To make it simple:
Policy Definitions – represents a specific policy which defines what is allowed or not allowed
Policy Initiatives – group of policies that makes assigning policies to certain scopes easier
Policy Assignments – is the way to apply a policy or initiative to a chosen scope. here you will set your parameters for the specific assignment.
Policy Definition work with an if-then approach and look like:
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Public preview: SAP S/4HANA events are now available on Azure Event Grid Forrester Total Economic Impact study: Azure Arc delivers 206 percent ROI over 3 years General availability: Azure Sphere OS version 22.10 Generally available: Azure Communication Services…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Generally available: SFTP support for Azure Blob Storage Leverage SFTP support for Azure Blob Storage to build a unified data lake Azure Virtual WAN simplifies networking needs General availability: Azure Premium SSD v2 Disk Storage General availability: OpenTelemetry…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Generally available: Kusto Trender Public preview: Enhanced soft delete for Azure Backup Public preview: Multi-user authorization for Backup vaults Public preview: Immutable vaults for Azure Backup General availability: Azure NetApp Files application volume group for SAP HANA Generally…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Scalable management of virtualized RAN with Kubernetes Cost optimization using Azure Migrate Public preview: Azure Firewall Basic Generally available: Query Store hints Azure SQL Database, Azure SQL Managed Instance Azure Firewall Basic now in preview Microsoft and INT…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Public preview: Policy analytics for Azure Firewall General availability: ExpressRoute FastPath support for Vnet peering and UDRs Strengthen your security with Policy Analytics for Azure Firewall Ensure zone resilient outbound connectivity with NAT gateway Azure SQL—General availability updates…
[…] Looking into the Governance Documentation you will be referred to some certain tools and services that help with Azure Governance, like Azure Policy: […]