As we figured out last week, Azure Role-Based Access Control (RBAC) is a very important thing, when it comes to the Management of Microsoft Azure. But there is another important feature you should know to keep control: Azure Policy
Problems with RBAC
Remember the function of RBAC, where Security Principal, Role and Scope meet each other and define you final set of rights:
If you think about this, you will figure out that you still may have an issue. If a user has the right to create VMs … he can create any VM he wants, in any region he wants. And as we know, VMs in Azure can cost 80$ a month or for the larger sizes go up to 200.000$ a month. So you may wish to have a solution for this.
Another problem is that you can control what a user can do, but not really how a resource looks like. So people with the right role can create Storage accounts, but nobody is forcing to set https as required. Admins with the respective role can create VMs but they may forget to add a backup. Also you cannot define how the „inside-configuration“ of a VM looks like. Network Admins may create a Public IP, but assign it to internal systems by accident.
These are things you cannot solve with roles, scopes or security principals … this is the moment when you start to love Azure Policy capabilities…
What is Azure Policy?!
Azure policy is the default allow and explicit deny system in Azure. It focuses on the resource properties of a resource, like:
location
prizing tier
tags
naming
related services like backup and monitoring
in-guest configuration
…
So it is the perfect addition to RBAC … as RBAC gives you explicit access … Policy defines the configurations you can to and which one are not allowed.
So very common Policies are:
Enable Monitoring
Allowed Locations
Allowed VM Sizes
Enable Security Center
Apply specific Tags
…
How are Azure Policies created?!
If you want to manage your Azure Policies you can do this via the Azure Portal, via CLI or PowerShell or even via CI/CD or Blueprints. So you can see there are multiple options. As this is a basic article, let’s try the easy way through the portal.
You can find the „Policy“ view in the Azure Portal. Here you can see a compliance overview across all your subscriptions and resources. There are some default policies like the „ASC Default“ which are set by and for Azure Security Center.
Azure Policy works with Definitions and Assignments. Definitions can be grouped together to Initiatives. To make it simple:
Policy Definitions – represents a specific policy which defines what is allowed or not allowed
Policy Initiatives – group of policies that makes assigning policies to certain scopes easier
Policy Assignments – is the way to apply a policy or initiative to a chosen scope. here you will set your parameters for the specific assignment.
Policy Definition work with an if-then approach and look like:
Also this week there were many news around Microsoft Azure! Here as always the overview for you: General Availability: Azure Files geo-redundancy for standard large file shares Public preview: Database watcher for Azure SQL Generally available: Application Gateway (v2) IPv6 support General availability: Listener TLS certificates management in the Azure portal Generally available: Azure Health…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Billing for Azure Monitor stateful log search alerts Azure IoT Edge supports Ubuntu Core Snaps Now available: Free data transfer out to internet when leaving Azure Public Preview: JVM memory fit in Azure Container Apps Public Preview: Tomcat…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: General Availability: App Service Backup and Restore over Azure Virtual Network Generally available: Azure Functions Support for Node.js 20 Public preview: Azure NetApp Files volume enhancement – allow the same file path for volumes in different availability zones…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: General Availability: Encryption at host for Premium SSD v2 and Ultra Disks is now available in more regions. Public preview: Internet inbound for Network Virtual Appliances in Virtual WAN Hubs Public preview: Azure Functions Support for HTTP Streams…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Sending a log search alert with cross tenant target resource will no longer be supported Update records in a Kusto Database (public preview) Public Preview: Regional Disaster Recovery by Azure Backup for AKS Public preview: Configuration-as-code customizations in…
Datenschutz & Cookies: Diese Website verwendet Cookies. Wenn du die Website weiterhin nutzt, stimmst du der Verwendung von Cookies zu.
Weitere Informationen, beispielsweise zur Kontrolle von Cookies, findest du hier:
Cookie-Richtlinie
Leave a comment