As we figured out last week, Azure Role-Based Access Control (RBAC) is a very important thing, when it comes to the Management of Microsoft Azure. But there is another important feature you should know to keep control: Azure Policy
Problems with RBAC
Remember the function of RBAC, where Security Principal, Role and Scope meet each other and define you final set of rights:
If you think about this, you will figure out that you still may have an issue. If a user has the right to create VMs … he can create any VM he wants, in any region he wants. And as we know, VMs in Azure can cost 80$ a month or for the larger sizes go up to 200.000$ a month. So you may wish to have a solution for this.
Another problem is that you can control what a user can do, but not really how a resource looks like. So people with the right role can create Storage accounts, but nobody is forcing to set https as required. Admins with the respective role can create VMs but they may forget to add a backup. Also you cannot define how the „inside-configuration“ of a VM looks like. Network Admins may create a Public IP, but assign it to internal systems by accident.
These are things you cannot solve with roles, scopes or security principals … this is the moment when you start to love Azure Policy capabilities…
What is Azure Policy?!
Azure policy is the default allow and explicit deny system in Azure. It focuses on the resource properties of a resource, like:
location
prizing tier
tags
naming
related services like backup and monitoring
in-guest configuration
…
So it is the perfect addition to RBAC … as RBAC gives you explicit access … Policy defines the configurations you can to and which one are not allowed.
So very common Policies are:
Enable Monitoring
Allowed Locations
Allowed VM Sizes
Enable Security Center
Apply specific Tags
…
How are Azure Policies created?!
If you want to manage your Azure Policies you can do this via the Azure Portal, via CLI or PowerShell or even via CI/CD or Blueprints. So you can see there are multiple options. As this is a basic article, let’s try the easy way through the portal.
You can find the „Policy“ view in the Azure Portal. Here you can see a compliance overview across all your subscriptions and resources. There are some default policies like the „ASC Default“ which are set by and for Azure Security Center.
Azure Policy works with Definitions and Assignments. Definitions can be grouped together to Initiatives. To make it simple:
Policy Definitions – represents a specific policy which defines what is allowed or not allowed
Policy Initiatives – group of policies that makes assigning policies to certain scopes easier
Policy Assignments – is the way to apply a policy or initiative to a chosen scope. here you will set your parameters for the specific assignment.
Policy Definition work with an if-then approach and look like:
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Azure Data Box Disk is now available with hardware encryption General availability: HBv4-series & HX-series VMs are now available in Sweden Central. Azure Machine Learning data collector is now generally available GA: Azure Monitor log search alerts support…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: General availability: Azure SQL updates for mid-April 2024 Azure Red Hat OpenShift April 2024 updates General availability: Extensible key management using Azure Key Vault for SQL Server on Linux General Availability: Azure Database for PostgreSQL – Flexible Server…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Azure Virtual Network Manager Security Admin Rule generally available in 45 regions Test General Availability of Azure Logic Apps connectors for IBM Mainframe and Midranges Public Preview of Azure OpenAI and AI Search in-app connectors for Logic Apps…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Azure Sphere version 24.03 and Azure Sphere (Integrated) are now generally available GA: Improved throughput performance on Azure Disks’ Standard SSD GA: Azure Logic Apps Designer for Consumption Public Preview: Safety evaluations for generative AI applications in Azure…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: General Availability: Azure Files geo-redundancy for standard large file shares Public preview: Database watcher for Azure SQL Generally available: Application Gateway (v2) IPv6 support General availability: Listener TLS certificates management in the Azure portal Generally available: Azure Health…
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here:
Cookie-Richtlinie
Leave a comment