Security policies are sets of rules and regulations that define and manage access and security levels of your Azure resources. They aid in achieving organizational compliance goals, and allow for automation of repetitive tasks, thus minimizing human errors.
Azure Policy and Azure Security Center
Azure Policy and Azure Security Center, both play a significant role in implementing a custom security policy in Azure. Azure Policy helps in creating, assigning, and managing policies, while Azure Security Center provides a unified security management system that strengthens the security posture of your data centers.
Configuring a Custom Security Policy
To configure a custom security policy, navigate to Azure portal -> Security Center -> Policy & Compliance.
1) First, you should define a custom security policy. Here’s how to set it up:
- Click on ‘Security policy’.
- Click on your subscription.
- Click on ‘View effective policy’.
- Click on ‘Add a new policy definition’.
2) After adding the policy, you need to assign it:
- Once you’ve defined your policy, click on ‘Assign a policy’.
- Select your scope (management group, subscription, or resource group).
- In Policy definition, choose the custom policy you just created.
- Assign a name, description, and select a policy enforcement (enabled/disabled).
- Click on ‘Assign’.
Example:
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"not": {
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"in": [
"Windows"
]
}
}
]
},
"then": {
"effect": "audit"
}
}
In the above JSON example, a policy is being set that audits any non-Windows Azure virtual machine.
Comparison of Azure Policies and Azure Security Center Recommendations
Azure Policy | Azure Security Center | |
---|---|---|
Purpose | Configuration management and audit | Unified security management and threat analysis |
Customizability | Very customizable in terms of what you can manage and audit | More focused on prescribed set of tasks, fewer customization options |
Ideal for | Compliance teams, security teams | Security operations teams |
In conclusion, Azure provides a number of features to keep your cloud resources secure and compliant. It’s paramount to regularly review these policies and update them as your organization’s needs evolve. Don’t forget to audit your environment and address the findings. This is essential not only to pass the AZ-500 Microsoft Azure Security Technologies exam but to effectively manage security in your Azure environment.
Practice Test
True or False: Azure Security Center allows you to modify and enforce custom security policies at the subscription level.
- True
- False
Answer: True.
Explanation: Azure Security Center lets you apply and customize the security policy on subscriptions. This helps in maintaining adherence to regulatory compliance standards specific to the organization.
Which of the following Azure services can be used to create and manage custom security policies? (Select all that apply)
- a) Azure Active Directory
- b) Azure Security Center
- c) Azure Policy
- d) Azure Logic Apps
Answer: b) Azure Security Center, c) Azure Policy.
Explanation: Both Azure Security Center and Azure Policy allow creation and management of custom security policies. Azure Active Directory is for identity management and Azure Logic Apps is for creating workflows.
True or False: Azure Policy can enforce organizational standards and assess compliance at scale.
- True
- False
Answer: True.
Explanation: Azure policy evaluates resources in Azure by comparing the properties of those resources with business rules. These business rules, described in JSON format, are known as policy definitions.
Which of the following is not a correct definition of an Azure Policy?
- a) It is a default allow model
- b) It is a default deny model
- c) It’s a declarative model to describe what you want
- d) It’s a procedural model to describe what you want
Answer: d) It’s a procedural model to describe what you want.
Explanation: Azure policy uses a declarative syntax, meaning you describe what you want and Azure Policy will make it happen.
Multiple select: For security policy in Azure, which compliance standards are available?
- a) NIST
- b) ISO
- c) CIS
- d) ITAR
Answer: a) NIST, b) ISO, c) CIS, d) ITAR
Explanation: Azure indeed provides all these compliance standards: NIST, ISO, CIS, and ITAR.
True or False: Azure policy allows you to only audit settings.
- True
- False
Answer: False.
Explanation: Azure policy not only audits settings, but it also helps you enforce them.
Which of the following is not a component of an Azure Policy definition?
- a) Display Name
- b) Description
- c) Effect
- d) Network Rules
Answer: d) Network Rules
Explanation: Network Rules is not a component of Azure Policy definitions. Instead, its components include Display Name, Description, and Effect, amongst others.
True or False: You can use Azure Policy and Azure Security Center together to achieve higher security.
- True
- False
Answer: True.
Explanation: Azure Policy provides you with the ability to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads.
When a resource violates a policy effect, what actions can Azure Policy perform? (Select all that apply)
- a) Audit
- b) Block
- c) Notify via Email
- d) Change the resource to a compliant state
Answer: a) Audit, b) Block, d) Change the resource to a compliant state
Explanation: Azure Policy can perform various actions such as audit a violation, block a resource from being created, and change a resource to a compliant state automatically. However, it cannot automatically send an email notification.
True or False: Security policies are configured at the Azure Active Directory level.
- True
- False
Answer: False.
Explanation: Security policies are typically managed at the subscription level using the Azure Security Center or Azure Policy, not at the Azure Active Directory level.
What level of permissions do you need on a resource group to assign a policy?
- a) Reader
- b) Owner
- c) Contributor
- d) User Access Administrator
Answer: b) Owner
Explanation: In order to assign a policy, you need to be an owner or have Microsoft.Authorization/policyassignments/write permission.
True or False: Assigning policies at a higher scope overrides the policies set at a lower scope.
- True
- False
Answer: False.
Explanation: Generally, assignment at a child scope does not inherit or overwrite the parent scope’s assignment unless the ‘notscope’ field is used while creating it.
Which Azure service primarily deals with access control and authentication?
- a) Azure Security Center
- b) Azure Policy
- c) Azure Active Directory
- d) Azure Logic Apps
Answer: c) Azure Active Directory
Explanation: Azure Active Directory is an identity and access management service that helps control who should have access to your resources.
True or False: Security baselines in Azure are built-in policies that provide an initial set of security best practices.
- True
- False
Answer: True.
Explanation: Azure provides “security baselines”, which are built-in policy initiatives that provide recommendations for industry best practices, and automatically applies these best practices to your existing resources.
Which of the following policies cannot be created with Azure Policy?
- a) Limit the types of resources that can be created.
- b) Restrict the locations in which a resource can be created.
- c) Restrict the type of virtual machines that can be created.
- d) All of above can be created with Azure Policy.
Answer: d) All of above can be created with Azure Policy.
Explanation: All of these policies can be created with Azure Policy. The declarative nature of Azure Policy allows it to define very specific rules and conditions for your Azure resources.
Interview Questions
What is a custom security policy in Azure?
A custom security policy is a set of rules or conditions defined by an Azure administrator to enforce and control the security configurations of multiple Azure resources.
How can you apply a custom security policy in Azure?
A custom security policy in Azure can be applied by assigning it to a resource group, subscription, or management group.
What are the steps to create a custom security policy in Azure?
Steps include navigating to Policy in the Azure portal, clicking on Definitions, selecting + Policy Definition, providing necessary details, and defining the policy rules in JSON format.
What is the role of initiative definitions while configuring a custom security policy?
Initiative definitions simplify managing and assigning policy definitions by grouping a set of policies as a single item.
How can you see the compliance details of your custom policy in Azure?
Compliance details can be viewed from the Azure Policy Compliance page, where it shows the compliance state for each assigned policy.
What is the purpose of the “Deny” effect in Azure Policy?
The “Deny” effect in Azure Policy prevents a resource deployment if it doesn’t comply with the conditions defined in the policy.
How can you ensure that your virtual machines are using managed disks in Azure?
By creating a policy with a condition that checks if virtual machines are using managed disks and by setting the effect to “Deny” in case they are not.
Can parameters be used in custom security policies in Azure?
Yes, parameters can be used to provide values during deployment time that are included in the policy rule.
What is the use of remediation in custom security policies?
Remediation is used to automatically fix resources that are not compliant with the defined policies.
How can you create and manage policies across multiple Azure subscriptions?
By using Azure Management groups, you can manage your Azure policies across several subscriptions.
What is the “AuditIfNotExists” effect in Azure Policy?
The “AuditIfNotExists” effect returns a warning by auditing resources that should exist but don’t.
What is the ‘DeployIfNotExists’ effect in Azure Policy?
The ‘DeployIfNotExists’ ensures a specific resource is deployed if it does not already exist.
Can a custom policy in Azure have multiple conditions?
Yes, using the logical operators ‘AllOf’ and ‘AnyOf’, a custom policy can have multiple conditions.
Can Azure custom security policies be exported and imported?
Yes, custom security policies can be exported and imported by using Azure PowerShell and Azure CLI with the commands
Export-AzPolicyDefinition
and
New-AzPolicyDefinition
respectively.
How is compliance data for Azure policies evaluated and shown?
Azure policy compliance is evaluated and shown in the Azure Policy Compliance Blade and updated on a regular basis whenever resources are created or updated.