With great power comes great responsibility. Sounds familiar? You might have heard this in a meeting after someone did something in the cloud they should not have been able to do.
The cloud is a great place for both developers and system administrators, but if left unguided, undesirable things can happen.
Microsoft has always been a company that put security and governance very high at the top of their products and Azure is no exception here. With the Azure Policy service cloud administrators can now define centrally define policies in subscriptions, and they can even do this as code and deploy these policies like any other ARM template.
Azure Policy is a free service enabling administrators to apply single policies or sets of policies to new and / or already existing resources.
These policies are different to RBAC (Role Based Access Control) permissions, which only control who (group or user) can do what inside of a certain scope. An Azure Policy controls the properties of given resources during or after deployment.
An example can be the following:
John has RBAC permissions to create resources inside of a resource group, for example a storage account. However, Azure Policy only allows storage accounts to have the property “HTTPS only”. John tried to create a storage account with insecure access via HTTP and thus the deployment failed.
Single policies can be applied to a subscription or resource group scope, they can also be added to so-called initiatives, which are collections of policies that get assigned as a group.
Governance as code
Azure Policies are JSON statements representing certain Azure Resource Manager (ARM) properties of resources.
In the Azure portal one can check the built-in policies and see what they are testing for. In this example the policy “Audit transparent data encryption status” applies to all resources of type “Microsoft.Sql/servers/databases” and makes sure that the property “Microsoft.Sql/transparentDataEncryption.status” is set to “enabled” and enforces the action “AuditIfNotExists”.
An “audit” policy does not prevent any deployments, but rather upon a successful ARM deployment will the policy evaluate the resource and log it as compliant or non-compliant.
For more information on the “effect” property of policies, read https://docs.microsoft.com/en-gb/azure/governance/policy/concepts/effects
Microsoft already provides customers with more than 100 built-in policies, however, creating custom policies is fairly straightforward.
In the screenshot above a one line PowerShell command is used to create a custom Azure Policy from a JSON file (on the right) which monitors all resources of type “Microsoft.Storage/storageAccounts” and if they are being created with the property “networkAcls.defaultAction” and a value of “allow”, then this marks a storage Account that is accessible from every network, including the internet, and this should be audited. This property can be found here: https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts#networkruleset-object
To find out what other properties are available on each resource type it is recommended to review the “Azure Templates” reference website https://docs.microsoft.com/en-us/azure/templates/.
Instead of “New-AzureRmPolicyDefinition” the Azure CLI equivalent of “az policy definition create” can also be used.
Policies are now not long documents on the Wiki that nobody ever reads, but source controlled, built and deployed via CI/CD, JSON documents.
Very commonly used policies are “allowed locations” to make sure that resources are only deployed into locations that are approved from a data sovereignty point of view or “allowed VM SKUs” to deny the deployment of certain Virtual Machine sizes that otherwise would be very expensive.
Azure Blueprints is currently in preview (as of 26/09/2018) but is already shaping up to be one of the most important services in the Azure cloud.
Imagine all the tasks that cloud administrators have to execute when someone asks “Can I please get a new Azure subscription via our Enterprise Agreement?” or “Can I please get a project environment provisioned?” or maybe you are working for a Cloud Solution Provider (CSP) and “stamp out” new environments on an almost daily basis.
All these tasks, from creating Log Analytics workspaces, to Azure Key Vaults, communicating tagging standards and allowed locations, depending on the environments maybe even virtual networks have been deployed and peered to an ExpressRoute virtual network, all these can now be combined in one Azure Blueprint.
An Azure Blueprint can consist of RBAC Roles assignments, Azure Policy assignments, the creation of Resource Groups and even the deployment of Azure Resource Manager templates.
Blueprints are ideal candidates for scaffolding requirements. In environments where there is a need to regularly create new environments, for customers, for developers etc, an assigned Blueprint makes sure that the new environment adheres to all internally defined policies and standards.
There will still be a need for documentation, obviously, but now the documentation of tagging standards, what is allowed, where logs go, what sort of metrics are enabled and what sort of access is allowed, will only point to the Azure Blueprint.
Combining Azure Policy and Blueprint will make sure that your company will not be the next victim of a public storage account exposing customer data to the internet.
Written by David O’Brien
About David O’Brien
David recently started his own consulting company XIRUS (https://xirus.com.au ) focusing on mainly Microsoft stacks in the cloud, training individuals and companies in all things Microsoft Azure and Azure DevOps (formerly VSTS), also still doing hands-on consulting and infracoding.
He has held a Microsoft MVP award for 5 years including the prestigious MVP for Azure.
A co-organiser of the Melbourne Microsoft Cloud and Datacentre meetup he also regularly speaks at international conferences and combines his interest to travel the world with his passion to share IT stories with the community. David’s personal blog can be found on https://david-obrien.net . In addition to blogging he has also published online training courses on Pluralsight.