March 29, 2021 by
Category:

This course is adapted from Web Age Course Azure IAM Intermediate Training.

Azure Policies

Azure Policy is a service in Azure that you use to create, assign and, manage policies. Azure Policy runs evaluations and scans for non-compliant resources.

Advantages of Azure policies are:

  • Enforcement and compliance
  • Apply policies at scale
  • Remediation

Usage Cases

Allowed resource types – Specify the resource types that your organization can deploy

Allowed virtual machine SKUs – Specify a set of virtual machine SKUs that your organization can deploy

Allowed locations – Restrict the locations your organization can specify when deploying resources

Require tag and its value – Enforces a required tag and its value

Azure Backup should be enabled for Virtual Machines – Audit if Azure Backup service is enabled for all Virtual machines

Azure policy scope

  • Management Group
  • Subscription
  • Resource Group

Policy Definitions

Many policy definitions are available. You can import policies from GitHub.  Policy Definitions have a specific JSON format. You can create custom policy definitions.

Custom Policies

A custom policy definition allows customers to define their own rules for using Azure.

These rules often enforce:

  • Cost management (skus)
  • Security Practices(roles)
  • Organization-specific rules (locations)

Before creating a custom policy, check the policy samples to see if a policy that matches your needs already exists. 

https://github.com/Azure/azure-policy

  • audit custom RBAC roles
  • allowed role definitions

Azure Policy definition structure

Policy definitions describe resource compliance conditions and the effect to take if a condition is met. A condition compares a resource property field or a value to a required value.

List of available fields: https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization

There are several conditions, such as equals, notEquals, contains, greater and less. https://docs.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure?WT.mc_id=Portal-Microsoft_Azure_Policy#conditions

Azure Policy rule

The policy rule consists of If and Then blocks. In the If block, you define one or more conditions that specify when the policy is enforced. You can apply logical operators to these conditions to precisely define the scenario for a policy. In the Then block, you define the effect that happens when the If conditions are fulfilled.

{

   “if”: {

       <condition> | <logical operator>

    },

   “then”: {

       “effect”: “deny | audit | modify | append |auditIfNotExists | deployIfNotExists | disabled”

   }

Azure Policy rule- Logical operators

Supported logical operators:

“not”: {condition or operator}

“allOf”:

“anyOf”:

Example

“if”: {

    “allOf”: [{

            “not”: {

                “field”: “tags”,

               “containsKey”: “application”

         }

       },

       {

            “field”: “type”,

           “equals”: “Microsoft.Storage/storageAccounts”

     }

 ]

}

Azure Policy –  effects

Each policy definition in Azure Policy has a single effect that determines what happens when the policy rule is evaluated to match. The effects behave differently if they are for a new resource, an updated resource, or an existing resource. These effects are currently supported in a policy definition:

  • Append
  • Audit
  • Deny
  • DeployIfNotExists
  • Modify

Details are available here: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects

  • Audit – used to create a warning event in the activity log when evaluating a non-compliant resource, but it doesn’t stop the request. e.g. “then”: {  “effect”: “audit” }
  • Deny – used to prevent a resource request that doesn’t match defined standards through a policy definition and fails the request.
  • DeployIfNotExists – executes a template deployment when the condition is met.
  • Modify – used to add, update, or remove properties or tags on a resource during creation or update. A common example is updating tags on resources
  • Append – used to add additional fields to the requested resource during creation or update. A common example is specifying allowed IPs for a storage resource.