Azure Policy: Enforce Standards To Keep Your Organization Safe
Updated: Dec 24, 2022
These days, it seems like we never get a break from rules and regulations. You can't eat over the sink (Food Code rule 3-301.11) or pet a chimp (NY Health Code, Article 161). If you want to build a deck in your yard, you need to call the local government first (IRC R507.3), and if you're going to see an R-rated movie alone, theaters will insist on ID for proof of age (42 U.S.C.A. Sec 1201). Some rules are necessary and helpful—the ones that prevent people from getting sick from poorly prepared food or seeing things they're too young for—but others feel arbitrary at best and infuriating at worst, especially when we encounter them at work. However, there's an upside to all these pesky regulations: they keep us safe, healthy, and law-abiding citizens of the world!
Azure Policy is your tool for keeping your organization safe by enforcing standards in your subscriptions or resource groups, through policies that you define yourself so they match the needs of your organization. Using Azure Policy lets you assess compliance with those standards automatically across each subscription or resource group where it's applied using data gathered by Azure Resource Manager from both built-in and custom policy definitions.
Use Azure Policy for your organization's governance needs.
Azure Policy is a policy management solution for your organization's governance needs. It provides you with the ability to manage and enforce consistent security and compliance policies across your Azure resources in hybrid environments. With Azure Policy, you can:
Easily apply governance policies to your workloads by using templates that were created by Microsoft or by yourself. You can also create custom templates from scratch or import existing ones from other sources like the Microsoft Security Compliance Manager (SCM).
Create compliance plans that include multiple rules, each having its own unique scope such as "system roles", "resource groups", and/or "location". For example, you can use it to specify that all workloads under myuser@myorg must comply with mycorp-standard-appliance-policy applied at level 1 (which means this rule will be applied for all resources within scope).
Define and manage your policy standards.
You’re an administrator of a Microsoft Azure subscription, or you have some authority over the usage of Azure resources. You want to control the costs associated with those resources, but also maximize their overall value. To do this, you need a means of defining and enforcing your own policies that are specific to your organization. You can use Azure Policy to define these policies and apply them at various levels in the cloud—allowing you to create policies that are relevant across subscriptions, resource groups, virtual machines (VMs), applications, users, groups—and more!
Assess compliance with Azure Policy.
Now that you're familiar with Azure Policy and its key features, let's talk about how best to assess compliance with it. First, what should you not assess?
Your ability to write good security code
Your commitment to protecting the confidentiality and integrity of data stored in your Azure services
The quality of the food served in the company cafeteria
In other words, this isn't an audit; it's an evaluation of how well your actions align with Microsoft's guidelines. What should you assess?
Which set of policies will be applicable for your organization based on specific criteria (e.g., deployment type)
Whether you've implemented safeguards as prescribed by those policies (e.g., encryption keys)
Enforce standards automatically with Azure Policy initiatives.
Azure Policy initiatives are a way to automatically enforce your organization's standards. They are a powerful tool that can be used in combination with automation, and they provide an alternative to manual enforcement of norms, policies, and standards.
Azure Policy initiatives can be created from the Azure portal or from the Azure Policy portal. Initiatives can be triggered by a variety of events and will ensure compliance by applying any necessary restrictions on resources and entities. Initiatives are powerful because they have multiple conditions that must be met before they trigger and apply their restrictions. You can also configure them so that only certain groups are affected by them—specific users won't necessarily have their access restricted if there is an issue with compliance for a particular resource type or entity type (whether it's an entire subscription or just one resource).
Automatically remediate non-compliance using Azure Policy initiatives.
Azure Policy initiatives are a powerful mechanism for automatically remediating non-compliance. This can be done using Policies, Triggers, and Automate actions.
Example 1: You have a policy that requires your users to have an active service plan before they can access any resources. If the user is not in compliance with this policy, they won't be able to access any resources until they remedy their non-compliance by creating a service plan or renewing their existing one. The next time they try to access any resource, Azure will check if there is an active service plan attached to their subscription and only then allow them into the resource group or virtual network where the resource resides.
Example 2: Your organization has strict compliance requirements for data stored on Azure Storage Blobs (blobs). You need a way of verifying that no sensitive information has been leaked into public storage accounts such as GDPR requirement when storing personal information about individuals within European Union member states including France, Germany, Italy, Spain, Portugal, Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Estonia, Greece, Hungary, Latvia, Lithuania, Malta, Poland, Romania, Slovenia, Slovak Republic, Sweden, and United Kingdom.
You can use policies and initiatives in Azure to enforce your organization's standards and automatically fix violations.
Now you know what policies and initiatives are, but what do they do? Policies are rules that you set to enforce standards. For example, your organization may have a policy that all virtual machines must be protected by an anti-virus agent at all times. If you create a policy with this requirement, then when someone tries to provision a new virtual machine without an anti-virus agent, it will fail until the agent is added. You can also use policies to enforce other types of requirements such as restricting access based on organizational hierarchy or geographic location.
When users violate your policies (i.e., they provision something in Azure that doesn't meet the specified requirements), Azure Automation will detect this violation and automatically remediate it using an initiative called Runbook Automation Agent for Cloud Services. This means you don't have to manually fix violations; instead, Azure Automation does it for you! Additionally, because these runbooks contain automated remediation steps (such as adding an anti-virus agent), organizations can significantly reduce costs associated with maintaining compliance by eliminating manual processes and tasks such as logging into multiple systems (e.g., Portal) just so someone could approve each request individually."
In this post, I discussed how to use Azure Policy in conjunction with Azure Initiatives. The first step is to create a policy that meets the needs of your organization. Then, you can assign it to a specific scope or add it to an initiative and have it applied across many different subscriptions or resource groups. Get started by checking out the Azure Docs site for Azure policies and initiatives: https://docs.microsoft.com/en-us/azure/governance/policy/
I like free training, so also don't miss the training from Microsoft with their Azure Policy learning module to get you started: https://docs.microsoft.com/en-us/learn/modules/configure-azure-policy/