Module 5bc - Identity, Governance, Privacy and Compliance - Build a Cloud Governance Strategy, Policies Flashcards
What is Azure Policy?
A service that allows you to create/assign/manage policies that control or audit Resources.
Hint: On Policy Assignment…
What three (3) things can Azure Policy do with Tags to improve your tagging scheme?
Policy can:
- Ensure Resource Group tags inherit to child Resources; this tag propagation does not happen by default
- Enforce tagging rules and other conventions
- Reapply removed tags and other tag related functionality.
Not all Resources will require a tag; querying for Resources by tag will include non-tagged Resources as well (T/F)?
FALSE? Tag application gives a resource identifiable metadata, ergo upon query or search for a specific tag, ONLY those Resources with that matching metadata are returned in the result.
Any non-tagged Resources are NEVER returned in queries by tag.
What do you define when you create an Azure Policy?
You define Initiatives for Azure Policy to evaluate against your Resources.
Hint: IaaS
What are some categories for built-in initiatives?
The built-in Initiatives are categorized similar to IaaS offerings:
- Storage
- Networking
- Compute
- Security Center
- Monitoring
What are the three (3) basic steps for using and verifying an Azure Policy?
- Create Policy Definition
- Assign Policy to a Scope
- Review the evaluation results
When creating an Azure Policy, what two things does it comprise of?
Initiatives and Remediation
Initiatives - What to evaluate
Remediation - What to do about it (Effects, etc)
Some example initiatives:
- Allow VM SKUs: enables you to specify a set of VM SKUs your org can deploy
- Allowed Locations: enables restrictions on deployment locations. Goes to geographic compliance reqs
- CORS should not allow every resource to access your web applications: allow only required domains to interact with your web apps
What are the three (3) Scopes of Policy Assignments?
A Policy Definition can take place and apply to three specific scopes:
- Management Group (a collection of multiple Subscriptions)
- A single Subscription
- A Resource Group
Policy Assignments on a Resource Group are NOT propagated to the Group’s children because child resources are automatically exempted from Policy auto-assignments (T/F)?
False. When a Policy Assignment is made to a Resource Group, it is auto-applied to ALL Resources in the Group. You have the ability to exclude a sub-scope from the Policy Assignment.
Hint: excludes Regional Services from consideration
General Knowledge: Why use Azure Policies, Assignments and Initiatives to restrict deployments to specific Regions?
Improved Cost Tracking and Data Residency/Security Compliance
Since cost of certain Resources can differ per Region, assigning Policies to a specific scope that limits Region deployment can center down cost tracking per Region.
Depending on where the data is located, you may be bound to corporate/government data compliance rules that state where the data can be stored (GDRP for example)
When creating an Azure Policy, you need to review the evaluation results. How is this accomplished?
Evaluations happen once per hour, so making a change to your Policy Definition and/or Assignment, evaluation happens within the hour. During the evaluation is when your Resource(s) get(s) marked as compliant or noncompliant
What are Azure Policy Initiatives and the definitions of an Azure Policy, Initiative and a Policy?
Related Policies grouped into a set. Initiative Definitions contain all Policy Definitions for tracking larger-goal compliance states
- Azure Policy Definitions == sets of one or more Initiative Definitions
- Initiative Definitions == sets of one or more Policy Definitions
- Policy Definition == a rule that, when applied, a Resource must comply with
What capabilities does Azure Policy have to keep your Resources compliant?
Policies can ensure Compliance on Resources through various capabilities:
- Prevent creation of noncompliant Resources
- Highlight existing noncompliant Resources
- Auto-Remediate noncompliant Resources and configurations
What two tools would you use to define an Initiative?
Azure Portal or by command line tools (PS or CLI)
Hint: add/remove
How do you assign an Initiative (Definition) and what’s the big advantage of doing so?
You assign it to a Scope via Policy Assignment
Because Initiatives are a collection/set of related Policies (Policy Rules), it’s easier to create an Initiative and start with just one or even a few Policies defined in the Initiative, then assign the Initiative to your target Scopes. You can then add/remove Policies over time, without having to change the Policy Assignments made to your Resources.
