Content

Share Azure Policies with the community.

Published in the Blog post An Azure Policy journey.

The approach is to use built-in Azure policies whenever they exist, otherwise we use custom policies with the trigram "MVP".

These are the guidelines used for the remediation activities (effect "DeployIfNotExists"):

• Use of ARM template whenever the remediation action creates a new resource.
• Use of deployment scripts in ARM templates whenever the remediation action need to modify a resource that already exist.

I do recommend these guidelines to prevent some change to be pushed by ARM template on parameters you don't want to touch. You can consult this article ARM template deployment what-if operation for more information.

Reference

• Using GitHub for Azure Policy as Code
• Tutorial: Implement Azure Policy as Code with GitHub
• Design Azure Policy as Code workflows
• Azure Policy initiative definition structure

Pre-requisites

• A Log Analytics workspace with the access control mode set to the use resource or workspace permissions setting
• A user-assigned managed identity. This identity is used to perform Azure-specific some policy remediation actions through the deployment scripts in ARM templates
• Configure the minimum permissions for this managed identity
• (If using the script launch.ps1) PowerShell modules : Az.ManagedServiceIdentity (min 0.7.3), Az.PolicyInsights (min 1.3.1)

Policies

High Level View

1. A list of policies and policies initiatives definitions are created in a management group called core
2. Role assignment are done at the subscription level per policy initiative definition

[MVP] Monitoring Guidelines

• Deploy network watcher when virtual networks are created
• [MVP] Deploy a flow log resource and traffic analytics with target network security group
• [MVP] Deploy Diagnostic Settings for Storage Accounts with a given tag to Log Analytics workspace
• [MVP] Deploy Diagnostic Settings for Azure Databricks
• [MVP] Deploy Workspace-based Application Insights
• [MVP] Deploy Diagnostic Settings for Azure Windows Virtual Desktop
• Deploy Diagnostic Settings for Key Vault to Log Analytics workspace
• [Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories
• [MVP] Deploy Advanced Data Security on SQL servers
• [MVP] Resource logs in Virtual Machine Scale Sets should be enabled

[MVP] Security Guidelines

• Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace
• Deploy export to Log Analytics workspace for Azure Security Center data
• [MVP] Secure transfer to storage accounts should be enabled
• [MVP] Latest TLS version should be used in your Storage Accounts
• [MVP] Storage account public access should be disallowed
• [MVP] Latest TLS version should be used in your Web App
• [MVP] FTP should be disabled in your Web App
• [MVP] Latest TLS version should be used in your Function App
• [MVP] FTP should be disabled in your Function App
• [MVP] Latest TLS version should be used in your API App
• [MVP] FTP should be disabled in your API App
• Deploy SQL DB transparent data encryption
• Management ports should be closed on your virtual machines -[MVP] Web Application should only be accessible over HTTPS

[MVP] Backup Guidelines

• [MVP] Key vaults should have soft delete enabled
• [MVP] Storage Accounts Blob should have soft delete enabled
• Azure Backup should be enabled for Virtual Machines
• [MVP] Resource Lock should be enabled

How to

Create or Update Azure Policies Definition and Azure Policies Initiative Definition

Method 1: with PowerShell

Prerequisites

• Use an account that has the privilege Resource Policy Contributor on the management group that will host your policies.
• If you are processing role assignment use an account that has the User Access Administrator privilege on the target scope of your role assignment.

Action

Execute the script launch.ps1.

• Note: this script launches also a compliance scan on each scope where you have assigned your policy.

Method 2: with GitHub Action

1. Set up Secrets in GitHub Action workflows Some detail are explained here, in addition you can assign the privilege Resource Policy Contributor to the service principal you have just created for GitHub Action.

2. Use Azure GiHub Action with azure/manage-azure-policy@v0, see file ./.github/workflows/manage-azure-policy.yml

• Sample to create or update all policies:
  • name: Create or Update Azure Policies uses: azure/manage-azure-policy@v0 with: paths: | policies/** initiatives/**

Important note: if you want to proceed assignment of policies that use make sure to fill in the App Registration detail into the following brackets on the assign..json file

"identity": {
  "principalId": "The Identity principalId",
  "tenantId": "Your Tenant Id",
  "type": "SystemAssigned"
}

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.