Azure Policy is a central service in Azure that plays a crucial role in achieving good governance for your environment. The main function is to evaluate resources in Azure by their properties. With Azure Policy, you can enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
Configuring Security Settings using Azure Policy
With Azure Policy, organizations can control and enforce the security settings of their resources to meet their specific requirements. Multiple in-built Azure policies are available that can be assigned to resources. The various policy effects include append, audit, deny, deployIfNotExists, and disabled.
To create and assign a policy, follow the below steps:
- In the Azure portal, search for and select Policy.
- Under Authoring, select Assignments and then click on Assign Policy.
- In the Scope tab, select the subscription or resource group that the policy should be applied to.
- In the Basics tab, optional assignment name and description can be given.
- In the Policy tab, select the policy definition from the list of available standard policies like “Enforce tag and its value,” “Allowed locations,” etc. and then click on Next.
- In the Parameters tab, provide the necessary parameters based on the policy you selected. Click on Next.
- In the Remediation tab, configure the policy to create a managed identity. Click on Next.
- Review all your settings before clicking on the Create button to assign the policy.
Auditing with Azure Policy
In addition to enforcing security settings, Azure Policy also provides tools for auditing. This functionality allows administrators to review evaluations of their resources and track their compliance.
There are various types of audit effects, including “Audit” and “AuditIfNotExists” effects. The Audit effect marks a resource as non-compliant if it is not in line with the policy, while the AuditIfNotExists effect can handle special cases where auditing should only take place when certain conditions are met.
Azure Policy does not only have alerting capabilities but also keeps a detailed record of the evaluation process. You can view this history to see the effects of assignments and definitions and how the state of a resource has changed over time.
Example of Using Azure Policy for Security Configuration and Auditing
Let’s walk through an example of how we could leverage Azure Policy to enforce a specific security setting.
Let’s say we want to ensure that all our storage accounts are only accessible via HTTPS (thus enforcing secure data transfer). There’s a built-in policy definition called “Secure transfer to storage accounts should be enabled”.
We can create and assign this policy following the steps outlined above. Under the “Policy” tab, we’d select the “Secure transfer to storage accounts should be enabled” definition.
This policy will now continuously monitor and audit all storage accounts, marking any resources that do not comply (i.e., any storage account not using secure transfer) as non-compliant. If we had decided to use the “Deny” effect instead of “Audit”, it would prevent any storage account from being created without secure transfer.
This simple example demonstrates combining security settings configuration and auditing to maintain compliance with standards or regulations.
In conclusion, Azure Policy provides a powerful way to apply governance controls across resources in your Azure environment. It is a key tool for implementing a reliable and compliant structure and maintaining it over time.
Practice Test
True or False: Azure Policy assesses the resources in your environment to ensure they’re compliant with the rules you set.
- True
- False
Answer: True
Explanation: Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, helping ensure your resources stay compliant with your corporate standards and service level agreements.
What Azure service is used to configure security settings and auditing?
- A. Azure Monitor
- B. Azure Security Center
- C. Azure Advisor
- D. Azure Policy
Answer: D. Azure Policy
Explanation: Azure Policy is the service that you use to create, assign and manage policies which enforce different rules over your resources, helping ensure compliance with corporate standards and SLAs.
Azure Policy can allow non-compliant resources to change their configuration.
- A. True
- B. False
Answer: B. False
Explanation: Azure Policy flags non-compliant resources but does not modify those resources. Take corrective actions manually or use an appropriate tool for automatic remediation.
Azure Policy checks compliance at the following levels, except:
- A. Resource Group
- B. Subscription
- C. Management group
- D. None of the above
Answer: D. None of the above
Explanation: Azure Policy checks compliance at all the mentioned levels: Resource Group, Subscription, and Management Group.
Azure Policy helps in ________ corporate standards over your resources.
- A. Improvising
- B. Enforcing
- C. Eliminating
- D. Modifying
Answer: B. Enforcing
Explanation: Azure Policy helps in enforcing corporate standards and SLAs across the infrastructure, thus helping to ensure compliance with external regulations.
True or False: Azure Policy can be applied on already existing resources.
- True
- False
Answer: True
Explanation: Azure Policy works at the control plane layer, not only during the deployment phase but also for already existing resources.
Azure Policy supports which of the following effect types?
- A. Append
- B. Deny
- C. Audit
- D. All of the above
Answer: D. All of the above
Explanation: Azure Policy supports multiple effect types such as Append, Deny, Audit, and several others to enforce rules on resource properties during deployment and for already existing resources.
Azure Policy can be assigned only at the subscription level.
- A. True
- B. False
Answer: B. False
Explanation: Azure Policy can be assigned at different scopes such as management group, resource group or individual resources.
True or False: Initiatives in Azure Policy are a collection of multiple policy definitions.
- True
- False
Answer: True
Explanation: Initiatives are a set or group of policy definitions to help track your compliance state for a larger goal.
Which of the following is not a built-in policy definition provided by Azure Policy?
- A. Allowed locations
- B. Allowed resource types
- C. Maximum number of resources
- D. Audit VMs that do not use managed disks
Answer: C. Maximum number of resources
Explanation: “Maximum number of resources” is not a built-in policy definition provided by Azure Policy. The built-in policy definitions include Allowed locations, Allowed resource types, and Audit VMs that do not use managed disks.
In Azure Policy, you can build custom definitions using which language?
- A. Python
- B. JavaScript
- C. PowerShell
- D. None of the above
Answer: D. None of the above
Explanation: Custom definitions in Azure Policy are created using JSON (JavaScript Object Notation).
True or False: Azure Policy can evaluate resource properties during deployment.
- True
- False
Answer: True
Explanation: In addition to monitoring resource state after deployment, Azure Policy can evaluate resource properties during deployment and reject those deployments if they don’t meet the conditions in the policy.
Azure Policy can integrate with which of the following Azure services for remediation tasks?
- A. Azure Logic Apps
- B. Azure Automation Runbooks
- C. Azure DevOps
- D. All of the above
Answer: D. All of the above
Explanation: Azure Policy can integrate with Azure Logic Apps, Azure Automation Runbooks, and Azure DevOps to take corrective actions on non-compliant resources.
True or False: Azure Policy API version 2019-06-01 doesn’t support tagging.
- True
- False
Answer: False
Explanation: Azure Policy API version 2019-06-01 does support resource tagging.
What option should you use in Azure Policy if you want to record a violation but not stop a resource from being created?
- A. Deny
- B. Audit
- C. Append
- D. DeployIfNotExist
Answer: B. Audit
Explanation: The Audit effect in Azure Policy allows you to record the violation when a resource is not compliant without blocking its creation or update.
Interview Questions
What is Azure Policy?
Azure Policy is a service in Azure that you use to create, assign, and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements.
How does Azure Policy work?
Azure Policy works by applying a set of defined rules or actions to specific resources or resource groups within Azure. When the conditions specified in the policy are matched, Azure Policy will perform the designated action.
Can Azure Policy be used for auditing?
Yes, Azure Policy has an ‘audit’ effect that enables you to track whether existing resources comply with a policy. This doesn’t make any changes, but it flags non-compliant resources for future review.
What are policy assignments in Azure Policy?
Policy assignments are the association of a policy definition with a specific scope for enforcement. The scope can be a management group, a subscription, or a resource group.
What is the difference between ‘deny’ and ‘audit’ effects in Azure Policy?
The ‘deny’ effect in Azure Policy will block a request if it doesn’t comply with the policy definition. However, the ‘audit’ effect will allow the request but will flag it as non-compliant in the compliance section of Azure Policy.
What is the purpose of ‘initiative’ in Azure Policy?
An initiative in Azure Policy is a collection of policy definitions that are designed to achieve a singular overarching goal. This is helpful in more complex scenarios where one single policy is not enough to enforce or audit a desired state.
Can Azure Policy assess the compliance state of your resources?
Yes, Azure Policy includes a compliance feature that provides an aggregated view to evaluate the overall state of the environment, with drill-down options to view noncompliance details of resources.
Can I create custom policies in Azure Policy?
Yes, you can define custom policy definitions based on your organization’s requirements. Once defined, these definitions can be assigned to the required scope.
What are the key components of Azure Policy definition?
The key components of the Azure Policy definition are ‘Parameters’, ‘Policy Rule’, ‘Display Name’, ‘Description’, and ‘Metadata’.
What is ‘deployIfNotExists’ effect in Azure Policy?
The ‘deployIfNotExists’ effect in Azure Policy is a powerful feature that allows you to deploy additional resources if the target resource is found not to exist.
How can I view the compliance state of an individual resource?
You can view the compliance state of an individual resource in the Azure portal by navigating to the ‘Policy’ section and then to the ‘Compliance’ tab.
Are there any default policy assignments?
Yes, Azure Policy provides several built-in policy assignments that you can readily use. These built-in policies are mainly derived from common use-cases and practices.
What is the purpose of Remediation in Azure Policy?
Remediation in Azure Policy is an automated process that modifies the resources which are flagged non-compliant, helping them to become compliant with the defined policy.
How can we classify resources in Azure?
Azure Policy has a feature called ‘tagging’ that can be used to classify resources by adding metadata to them.
Can Azure Policy apply multiple effects at once?
Yes, multiple effects can be included in a single Azure Policy. The order of the effects in policy rule matters and the first matching effect takes precedence.