1. Azure Policy
Rahul Khengare
11th Feb 2023
DevOps-Pune Meetup Group

2. About Me
Sr. Staff Engineer, Zscaler
◎ Cloud Security/DevOps/DevSecOps/SRE
◎ Blogger (oss-world, thesecuremonk)
◎ Co-Organizer
○ DevOps-Pune, DevSecOps-Pune
◎ Open Source Software and CIS Contributor
◎ Past Organization: Cloudneeti, Motifworks, NTT Data
◎ https://www.linkedin.com/in/rahulkhengare

3. Agenda
◎ Cloud benefits and Concerns
◎ Need for Cloud governance and Security
◎ What is Azure Policy Framework
◎ Types of Azure Policies
◎ How Azure Policy works
◎ Cloud Governance needs
◎ Demo

4. What Governance and Security
practices you follow?

5. Some Known Practices
◎ RBAC
◎ Tags
◎ Network/Firewall/Encryptions/Private Endpoints
◎ Different Security tools with
○ Detective policies
○ Preventative Controls
◎ Cost Management
◎ Security audits
◎ Many More …

6. Cloud Benefits and Concerns
Benefits
Speed
Agility
Ease
E.g. 1000+ Virtual machine can be
created in 5-10 min using
automation
Concerns
Who is created resources?
Who is using resources?
Who has the access?
Are resources secure?
Are we protecting sensitive data?
Cost Surprises

7. “
Through 2025, 99% of cloud security
failures will be the customerʼs fault
- Gartner

8. What drives your need for policy enforcement?
◎ Maintain security and performance consistency
◎ Regulatory Compliance
◎ Enforce enterprise-wide design principles
◎ Controlling cost

9. Azure Policy
What it is?
How it works?
Different Types

10. What is Azure Policy?
◎ Assess and enforce enterprise-wide
governing standards
◎ Free services
◎ Policy as a Code
◎ Real Time Remediation
◎ Apply Policy at Scale
◎ Provide visibility of resources
○ Compliant
○ Non-Compliant
◎ Compliance Reports
Example: Prevent the creation of virtual machines with basic A0 to A4 SKUs.

11. SCOPE
Policy Definitions, Initiatives, Assignments
11
Policy Definition 1
Policy Definition 2
Policy Definition 3
Policy Initiative
Assignment

12. How it Works?

13. Policy Scopes
13

14. Types of Azure Policies
Audit/Detective
Just audits the resources
Effects:
◎ Audit
◎ AuditIfNotExists.
E.g. Audit all the VMs that
do not use managed
disks.
Preventative
Prevent resource
creation/updation
Effects:
◎ Deny
E.g. Prevent user from
provisioning any
resources in the West US
region
Remediation
Apply desired configuration at
resource creation/updation
Effects:
◎ DeployIfNotExists
◎ Append
◎ Modify
E.g. Deploy Log Analytics agent
for Windows VMs

15. COST MANAGEMENT
* Allowed storage account SKUs [Preventative]
* Allowed virtual machine size SKUs
[Preventative]
* Azure VPN gateways should not use ʻbasicʼ
SKU [Preventative]
OPERATIONAL
* Resource or resource group name should
contain XYZ prefix as part of naming
conventions [Audit]
* Allowed region for deployments
[Preventative]
* Append a tag and its value from the resource
group [Remediation]
Governance needs and Azure Policies

16. * Secure transfer to storage accounts should be
enabled [Audit]
* Disk encryption should be enabled on Azure
Data Explorer [Audit or Preventative]
* Network interfaces should not have public
Ips [Preventative]
BUSINESS/COMPLIANCE
* Azure Cosmos DB allowed locations
[Preventative]
* MFA should be enabled on accounts with
owner permissions on your subscription
[Audit]
* SQL Database should avoid using GRS
backup redundancy [Preventative]
SECURITY
Governance needs and Azure Policies

17. Azure Policy in Action!

18. Thanks!
Any questions?

19. References
◎ Azure Policy Overview
◎ Azure Built-In Policies
◎ Azure Policy Samples
◎ Manage Policy as Code
◎ Create custom policy definitions
◎ Contribute to Azure Policy Samples
◎ Regulatory Compliance