This course is adapted from Web Age Course Azure IAM Intermediate Training.
Azure Policies
Azure Policy is a service in Azure that you use to create, assign and, manage policies. Azure Policy runs evaluations and scans for non-compliant resources.
Advantages of Azure policies are:
- Enforcement and compliance
- Apply policies at scale
- Remediation
| Usage Cases |
| Allowed resource types – Specify the resource types that your organization can deploy |
| Allowed virtual machine SKUs – Specify a set of virtual machine SKUs that your organization can deploy |
| Allowed locations – Restrict the locations your organization can specify when deploying resources |
| Require tag and its value – Enforces a required tag and its value |
| Azure Backup should be enabled for Virtual Machines – Audit if Azure Backup service is enabled for all Virtual machines |
Azure policy scope
- Management Group
- Subscription
- Resource Group
Policy Definitions
Many policy definitions are available. You can import policies from GitHub. Policy Definitions have a specific JSON format. You can create custom policy definitions.
Custom Policies
A custom policy definition allows customers to define their own rules for using Azure.
These rules often enforce:
- Cost management (skus)
- Security Practices(roles)
- Organization-specific rules (locations)
Before creating a custom policy, check the policy samples to see if a policy that matches your needs already exists.
https://github.com/Azure/azure-policy
- audit custom RBAC roles
- allowed role definitions
Azure Policy definition structure
Policy definitions describe resource compliance conditions and the effect to take if a condition is met. A condition compares a resource property field or a value to a required value.
List of available fields: https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
There are several conditions, such as equals, notEquals, contains, greater and less. https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure?WT.mc_id=Portal-Microsoft_Azure_Policy#conditions
Azure Policy rule
The policy rule consists of If and Then blocks. In the If block, you define one or more conditions that specify when the policy is enforced. You can apply logical operators to these conditions to precisely define the scenario for a policy. In the Then block, you define the effect that happens when the If conditions are fulfilled.
{
“if”: {
<condition> | <logical operator>
},
“then”: {
“effect”: “deny | audit | modify | append |auditIfNotExists | deployIfNotExists | disabled”
}
Azure Policy rule- Logical operators
Supported logical operators:
“not”: {condition or operator}
“allOf”:
“anyOf”:
Example
“if”: {
“allOf”: [{
“not”: {
“field”: “tags”,
“containsKey”: “application”
}
},
{
“field”: “type”,
“equals”: “Microsoft.Storage/storageAccounts”
}
]
}
Azure Policy – effects
Each policy definition in Azure Policy has a single effect that determines what happens when the policy rule is evaluated to match. The effects behave differently if they are for a new resource, an updated resource, or an existing resource. These effects are currently supported in a policy definition:
- Append
- Audit
- Deny
- DeployIfNotExists
- Modify
Details are available here: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
- Audit – used to create a warning event in the activity log when evaluating a non-compliant resource, but it doesn’t stop the request. e.g. “then”: { “effect”: “audit” }
- Deny – used to prevent a resource request that doesn’t match defined standards through a policy definition and fails the request.
- DeployIfNotExists – executes a template deployment when the condition is met.
- Modify – used to add, update, or remove properties or tags on a resource during creation or update. A common example is updating tags on resources
- Append – used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.
