And this time AZ-500 study guide covers:
- Configure a custom security policy
- Create a policy initiative
- Configure security settings and auditing by using Azure Policy
Table of Contents
Configure a custom security policy
Elements
The policy definition policyRule schema is found here: https://schema.management.azure.com/schemas/2020-10-01/policyDefinition.json
You use JSON to create a policy definition. The policy definition contains elements for:
- display name
- description
- mode
- metadata
- parameters
- policy rule
- logical evaluation
- effect
Identify requirements
Before creating the policy definition, it’s important to understand the intent of the policy. For this tutorial, we’ll use a common enterprise security requirement as the goal to illustrate the steps involved:
- Each storage account must be enabled for HTTPS
- Each storage account must be disabled for HTTP
Your requirements should clearly identify both the “to be” and the “not to be” resource states.
While we’ve defined the expected state of the resource, we’ve not yet defined what we want done with non-compliant resources. Azure Policy supports many effects. For this tutorial, we’ll define the business requirement as preventing the creation of resources if they aren’t compliant with the business rules. To meet this goal, we’ll use the Deny effect. We also want the option to suspend the policy for specific assignments. As such, we’ll use the Disabled effect and make the effect a parameter in the policy definition.
Ways to determine the properties for an Azure resource
Azure Policy extension for VS Code
Once you open it you can choose see the
Azure Resource Manager templates (ARM templates)
- Export existing resource
Export to GitHub
- Creation experience
- Quickstart templates (GitHub)
- Template reference docs
With Azure Resource Explorer
Azure CLI
|
1 2 3 4 |
# Login first with az login if not using Cloud Shell # Get Azure Policy aliases for type Microsoft.Storage az provider show --namespace Microsoft.Storage --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name" |
Azure PowerShell
|
1 2 3 4 |
# Login first with Connect-AzAccount if not using Cloud Shell # Use Get-AzPolicyAlias to list aliases for Microsoft.Storage (Get-AzPolicyAlias -NamespaceMatch 'Microsoft.Storage').Aliases |
Determine the effect to use
Deciding what to do with your non-compliant resources is nearly as important as deciding what to evaluate in the first place. Each possible response to a non-compliant resource is called an effect. The effect controls if the non-compliant resource is logged, blocked, has data appended, or has a deployment associated to it for putting the resource back into a compliant state.
For our example, Deny is the effect we want as we don’t want non-compliant resources created in our Azure environment. Audit is a good first choice for a policy effect to determine what the impact of a policy is before setting it to Deny. One way to make changing the effect per assignment easier is to parameterize the effect. See parameters below for the details on how.
Compose the definition
We now have the property details and alias for what we plan to manage. Next, we’ll compose the policy rule itself. If you aren’t yet familiar with the policy language, reference policy definition structure for how to structure the policy definition. Here is an empty template of what a policy definition looks like:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
{ "properties": { "displayName": "<displayName>", "description": "<description>", "mode": "<mode>", "parameters": { <parameters> }, "policyRule": { "if": { <rule> }, "then": { "effect": "<effect>" } } } } |
Metadata
The first three components are policy metadata. These components are easy to provide values for since we know what we are creating the rule for. Mode is primarily about tags and resource location. Since we don’t need to limit evaluation to resources that support tags, we’ll use the all value for mode.
|
1 2 3 |
"displayName": "Deny storage accounts not using only HTTPS", "description": "Deny storage accounts not using only HTTPS. Checks the supportsHttpsTrafficOnly property on StorageAccounts.", "mode": "all", |
Parameters
While we didn’t use a parameter for changing the evaluation, we do want to use a parameter to allow changing the effect for troubleshooting. We’ll define an effectType parameter and limit it to only Deny and Disabled. These two options match our business requirements. The finished parameters block looks like this example:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
"parameters": { "effectType": { "type": "string", "defaultValue": "Deny", "allowedValues": [ "Deny", "Disabled" ], "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" } } }, |
Policy rule
Composing the policy rule is the final step in building our custom policy definition. We’ve identified two statements to test for:
- The storage account type is Microsoft.Storage/storageAccounts
- The storage account supportsHttpsTrafficOnly isn’t true
Since we need both of these statements to be true, we’ll use the allOf logical operator. We’ll pass the effectType parameter to the effect instead of making a static declaration. Our finished rule looks like this example:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
"if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", "notEquals": "true" } ] }, "then": { "effect": "[parameters('effectType')]" } |
The completed definition can be used to create a new policy. Portal and each SDK (Azure CLI, Azure PowerShell, and REST API) accept the definition in different ways, so review the commands for each to validate correct usage. Then assign it, using the parameterized effect, to appropriate resources to manage the security of your storage accounts.
Completed definition
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
{ "properties": { "displayName": "Deny storage accounts not using only HTTPS", "description": "Deny storage accounts not using only HTTPS. Checks the supportsHttpsTrafficOnly property on StorageAccounts.", "mode": "all", "parameters": { "effectType": { "type": "string", "defaultValue": "Deny", "allowedValues": [ "Deny", "Disabled" ], "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" } } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly", "notEquals": "true" } ] }, "then": { "effect": "[parameters('effectType')]" } } } } |
Open Azure Policy definition from https://portal.azure.com/#blade/Microsoft_Azure_Policy/CreatePolicyDefinitionBlade
Once done, you have the complete policy definition
Create policies programmatically
PowerShell
Use the following JSON snippet to create a JSON file with the name AuditStorageAccounts.json.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
{ "if": { "allOf": [{ "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", "equals": "Allow" } ] }, "then": { "effect": "audit" } } |
Run the following command to create a policy definition using the AuditStorageAccounts.json file.
|
1 |
New-AzPolicyDefinition -Name 'AuditStorageAccounts' -DisplayName 'Audit Storage Accounts Open to Public Networks' -Policy 'AuditStorageAccounts.json' |
After you create your policy definition, you can create a policy assignment by running the following commands:
|
1 2 3 |
$rg = Get-AzResourceGroup -Name 'ContosoRG' $Policy = Get-AzPolicyDefinition -Name 'AuditStorageAccounts' New-AzPolicyAssignment -Name 'AuditStorageAccounts' -PolicyDefinition $Policy -Scope $rg.ResourceId |
Azure CLI
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
{ "if": { "allOf": [{ "field": "type", "equals": "Microsoft.Storage/storageAccounts" }, { "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", "equals": "Allow" } ] }, "then": { "effect": "audit" } } |
Run the following command to create a policy definition:
|
1 |
az policy definition create --name 'audit-storage-accounts-open-to-public-networks' --display-name 'Audit Storage Accounts Open to Public Networks' --description 'This policy ensures that storage accounts with exposures to public networks are audited.' --rules '<path to json file>' --mode All |
The command creates a policy definition named Audit Storage Accounts Open to Public Networks. For more information about other parameters that you can use, see az policy definition create.When called without location parameters, az policy definition creation defaults to saving the policy definition in the selected subscription of the sessions context. To save the definition to a different location, use the following parameters:
- subscription – Save to a different subscription. Requires a GUID value for the subscription ID or a string value for the subscription name.
- management-group – Save to a management group. Requires a string value.
- Use the following command to create a policy assignment. Replace example information in <> symbols with your own values.
|
1 |
az policy assignment create --name '<name>' --scope '<scope>' --policy '<policy definition ID>' |
You can get the Azure Policy Definition ID by using PowerShell with the following command:
|
1 |
az policy definition show --name 'Audit Storage Accounts with Open Public Networks' |
GitHub policy-as-a-code
Manage your policy definitions and assignments as code, control the lifecycle of modifying those definitions, and automate the validation of compliance results with an Azure Policy as Code workflow.
GitHub is a great place to store policy definitions and assignments. You can trigger a compliance scan from the GitHub activity by pushing policy objects modified in GitHub to Azure.
Azure policies export
Sign-in to GitHub
When You have signed in You can see all the repositories
For demonstrative purposes, let’s choose two policies
You can export Definitions and Assignments or only one of them
Export
Then choose Export
And done
GitHub web-editor
When You browse to Your repository You will see the files
And the policies will tell they were exported from Azure policy
When You open a JSON file and press “.” when the file is open
You will get web-based Visual studio code right there in the browser
And below You can see the editing in done inside GitHub
Workflows
You will find the workflow file under Workflows. The GitHub workflow file is created each time export is used. Each instance of the file is specific to the options during that export action.
This workflow file uses the Manage Azure Policy action to push changes made to the exported policy objects in the GitHub repository back to Azure Policy. By default, the action considers and syncs only those files that are different from the ones existing in Azure. You can also use the assignments parameter in the action to only sync changes done to specific assignment files. This parameter can be used to apply policy assignments only for a specific environment. For more information, see the Manage Azure Policy repository readme.
By default, the workflow must be triggered manually. To do so, use the Actions in GitHub, select the manage-azure-policy-<randomLetters> workflow, select Run workflow, and then Run workflow again.
GitHub self-hosted runner
Basically Self-hosted runner is a Azure VM that You will assign System-managed Identity and use it to run GitHub runners.
A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 30 days.
What it does?
The self-hosted runner checks GitHub for application updates and to see if there are any jobs waiting to be processed. The self-hosted runner uses an HTTPS long poll that opens a connection to GitHub for 50 seconds, then times out and begins a new long poll if no answer is received. To accept and run GitHub Actions jobs, the application must be running on the system.
You don’t need to enable GitHub to establish inbound connections to your self-hosted runner because the self-hosted runner opens a connection to GitHub.
Create a policy initiative
Elements
You use JSON to create a policy initiative definition. The policy initiative definition contains elements for:
- display name
- description
- metadata
- parameters
- policy definitions
- policy groups (this property is part of the Regulatory Compliance (Preview) feature)
Metadata
The optional metadata property stores information about the policy initiative definition. Customers can define any properties and values useful to their organization in metadata. However, there are some common properties used by Azure Policy and in built-ins.
Common metadata properties
version(string): Tracks details about the version of the contents of a policy initiative definition.category(string): Determines under which category in the Azure portal the policy definition is displayed.
Parameters
Parameters help simplify your policy management by reducing the number of policy definitions. Think of parameters like the fields on a form – name, address, city, state. These parameters always stay the same, however their values change based on the individual filling out the form. Parameters work the same way when building policy initiatives. By including parameters in a policy initiative definition, you can reuse that parameter in the included policies.
A parameter has the following properties that are used in the policy initiative definition:
name: The name of your parameter. Used by theparametersdeployment function within the policy rule. For more information, see using a parameter value.type: Determines if the parameter is a string, array, object, boolean, integer, float, or datetime.metadata: Defines subproperties primarily used by the Azure portal to display user-friendly information:description: The explanation of what the parameter is used for. Can be used to provide examples of acceptable values.displayName: The friendly name shown in the portal for the parameter.strongType: (Optional) Used when assigning the policy definition through the portal. Provides a context aware list. For more information, see strongType.
defaultValue: (Optional) Sets the value of the parameter in an assignment if no value is given.allowedValues: (Optional) Provides an array of values that the parameter accepts during assignment.
Policy definitions
The policyDefinitions portion of the initiative definition is an array of which existing policy definitions are included in the initiative. As mentioned in Passing a parameter value to a policy definition, this property is where initiative parameters are passed to the policy definition.
Policy definition properties
Each array element that represents a policy definition has the following properties:
policyDefinitionId(string): The ID of the custom or built-in policy definition to include.policyDefinitionReferenceId(string): A short name for the included policy definition.parameters: (Optional) The name/value pairs for passing an initiative parameter to the included policy definition as a property in that policy definition. For more information, see Parameters.groupNames(array of strings): (Optional) The group the policy definition is a member of.
Configure security settings and auditing by using Azure Policy
Policy assignment to identify non-compliant resources
Identify non-compliant resources
| Resource State | Effect | Policy Evaluation | Compliance State |
|---|---|---|---|
| New or Updated | Audit, Modify, AuditIfNotExist | True | Non-Compliant |
| New or Updated | Audit, Modify, AuditIfNotExist | False | Compliant |
| Exists | Deny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExist | True | Non-Compliant |
| Exists | Deny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExist | False | Compliant |
Once you have create a definition, you can assign it. From the policy itself
Or from Assignments menu
Earlier we created only Deny and Disable effects but we can also add Audit to the effects and make it as default.
And then the assignment will show like this. From this menu you can enforce the policy
When enforcement mode is disabled, the policy effect isn’t enforced (i.e. deny policy won’t deny resources). Compliance assessment results are still available.
And if You remove the tick from “Only show…” on the next page, you will se effects that have been defined and what the default one.
If you want to do something with the policy, You need Managed identity for it.
Here instructions how to create a Managed identity and add permissions to it.
Next you can put a message to display for non-compliance
And finally review and create
Compliance results
After we have assigned the policy, we can go to compliance and see the results.
For this demo, I created a Storage account with out SSL.
And it will show non-compliant based on the rule we created
but the other Storage accounts are compliant as they have SSL enabled
And when we drill down to details, we can see the custom reason we added to the policy
Troubleshooting
Things to remember
You use JSON to create a policy definition. The policy definition contains elements for:
- display name
- description
- mode
- metadata
- parameters
- policy rule
- logical evaluation
- effect
How find the resource providers to use.
Exporting to policies to GitHub and workflows
Effect types
| Resource State | Effect | Policy Evaluation | Compliance State |
|---|---|---|---|
| New or Updated | Audit, Modify, AuditIfNotExist | True | Non-Compliant |
| New or Updated | Audit, Modify, AuditIfNotExist | False | Compliant |
| Exists | Deny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExist | True | Non-Compliant |
| Exists | Deny, Audit, Append, Modify, DeployIfNotExist, AuditIfNotExist | False | Compliant |
Policy initiative elements
You use JSON to create a policy initiative definition. The policy initiative definition contains elements for:
- display name
- description
- metadata
- parameters
- policy definitions
- policy groups (this property is part of the Regulatory Compliance (Preview) feature)
You need System Managed Identity for any remediation tasks.
How to see the resource compliance for the policies
RSS - Posts