Azure Policy Governance Checklist
Azure Policy Governance Checklist
Azure Policy Governance
Checklist
Prepared by: ELIE KARKAFY
Azure Policy
Key Governance Question Links
Do you want to enforce organizational standards and to assess compliance
at‐scale ?
Azure Policy is a service that you use to create, assign and manage policy
Azure Policy
definitions. Policy definitions impose different rules and actions on your
resources, so that those resources remain in compliance with your
corporate standards and service level agreements.
Azure policies can be grouped together into so‐called Azure policy
initiatives. This helps in enforcing several policies at once. After the Azure
policies and policy initiatives are defined, they need to be assigned to a Azure Policy
scope. This scope can be an Azure subscription, an Azure resource group, or
individual Azure resources.
2
Azure Policy ‐ Best Practices
Key Governance Question Links
Ask these 3 questions and work from them when defining your policies
What drives your need for policy?
‐Regulatory Compliance
‐Controlling cost
‐Standards & Tagging
‐Maintain security and performance consistency
‐Enforce enterprise‐wide design principles
Who owns the policy settings?
‐"Initiative" owners
‐Security Architect
‐Cloud Architect
‐Cloud Engineers Azure Policy
What is involved in defining a new policy or refining an existing one?
‐Research or gather evidence on the impact of a particular configuration on
a particular fundamental (like cost or security)
‐What‐if analysis of enforcing configuration in a particular manner
‐Assess the current state of compliance to understand the impact of the new
policy and what exceptions are needed
‐Roll out a new policy in phases
‐Understand the applications & teams who are non‐compliant
‐Rollout remediation in stages via SafeDeploy practices
Azure Policy built‐in policy definitions List of built‐in policy definitions
Azure Policy built‐in initiative definitions List of built‐in policy initiatives
3
Azure Policy ‐ Governance suggested policies
Key Governance Question Links
Compute ‐
Allowed virtual machine size SKUs: This policy enables you to specify a set of
virtual machine size SKUs that your organization can deploy. VMSkusAllowed
General ‐
Allowed locations: This policy enables you to restrict the locations your
organization can specify when deploying resources. Use to enforce your
geo‐compliance requirements. Excludes resource groups,
Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the
'global' region.
AllowedLocations
General ‐
Allowed locations for resource groups: This policy enables you to restrict the
locations your organization can create resource groups in. Use to enforce
your geo‐compliance requirements.
Allowed locations for resource groups
General ‐
Allowed resource types: This policy enables you to specify the resource
types that your organization can deploy. Only resource types that support
'tags' and 'location' will be affected by this policy. To restrict all resources
please duplicate this policy and change the 'mode' to 'All'.
Allowed resource types
General ‐
Audit resource location matches resource group location: Audit that the
resource location matches its resource group location Audit resource location matches resource group location
General ‐
Audit usage of custom RBAC rules: Audit built‐in roles such as 'Owner,
Contributor, Reader' instead of custom RBAC roles, which are error‐prone.
Using custom roles is treated as an exception and requires a rigorous review
and threat modeling.
Audit usage of custom RBAC rules
4
General ‐
Not allowed resource types: Restrict which resource types can be deployed
in your environment. Limiting resource types can reduce the complexity and
attack surface of your environment while also helping to manage costs.
Compliance results are only shown for non‐compliant resources.
Not allowed resource types
Security ‐
A maximum of 3 owners should be designated for your subscription: It is
recommended to designate up to 3 subscription owners in order to reduce
the potential for breach by a compromised owner.
A maximum of 3 owners
Security ‐
MFA should be enabled on accounts with owner permissions on your
subscription: Multi‐Factor Authentication (MFA) should be enabled for all
subscription accounts with owner permissions to prevent a breach of
accounts or resources.
MFA should be enabled
Security ‐
Subscriptions should have a contact email address for security issues: To
ensure the relevant people in your organization are notified when there is a
potential security breach in one of your subscriptions, set a security contact
to receive email notifications from the Security Center.
Subscriptions should have a contact email
Security ‐
There should be more than one owner assigned to your subscription: It is
recommended to designate more than one subscription owner in order to
have administrator access redundancy.
There should be more than one owner
Tags ‐
Require a tag on resource groups: Enforce the existence of a tag on resource
groups Require a tag on resource groups
5
Tags ‐
Inherit a tag from the resource group if missing: Adds the specified tag with
its value from the parent resource group when any resource missing this tag
is created or updated. Existing resources can be remediated by triggering a
remediation task. If the tag exists with a different value it will not be
changed.
Inherit a tag from the resource group if missing
6
Azure Policy Matrix
7
8