Governance and Security Flashcards
Management Groups
Are containers that help you manage access, policies, and compliance across multiple Azure subscriptions. Serve as the root level of the Azure hierarchy, enabling you to apply policies, access controls, and compliance standards consistently across all subscriptions within a management group.
What problem do they solve?
-Enable centralized governance and control over Azure resources, ensuring compliance with organizational standards and regulatory requirements.
-Allow you to enforce policies consistently across all subscriptions within the management group hierarchy, reducing the risk of misconfiguration, security vulnerabilities, and compliance issues.
-Provides a unified view of subscriptions, policies, access controls, and costs within your organization.
Implementation
- Root Management Group: A default, root-level management group that cannot be modified
-You can apply permissions or policies at this level - Management Group: Helps to organize subcriptions.
-Supoprtes IAM and Policy assignments - Subscription: Can belong to one Management Group
- Inherits all assignments
Considerations
-Supports ONE parent (MG and subs) only, and up to six levels of depth (each MG or Subs can only have one parent)
-All subscriptions within a management group must trust the same tenant
-Global Admins must first elevate permissions, and can then assign roles
Resource Tagging
Is a feature that allows users to associate custom metadata with cloud resources. Tags are key-value pairs that provide additional context and organization to resources, enabling users to categorize, manage, and track resources more effectively.
The goal is to provide us a way to add additional data, additional information, what we can use to help us out with Administration, Automation, Cost Control and Operations
Benefits of Resource Tagging:
-Resource Organization
-Cost Allocation
-Policy Enforcement
-Resource Monitoring and Reporting
-Automation and Orchestration
Implementation
- Tag: Metadata (key-value pairs) that help to track important information
- Scope: Can assign to a Subscription, Resource Group, or Resource
- Considerations: Maximum of 50 (can use JSON instead). No inheritance
Resource Locks
Are a feature designed to prevent accidental deletion or modification of critical Azure resources. They provide an additional layer of protection to help safeguard important resources from unwanted changes, inadvertent actions, or unauthorized modifications.
Types of Resource Locks:
- Delete Lock (CanNotDelete): A delete lock, also known as a “CanNotDelete” lock, prevents the deletion of a resource. Once applied, this lock prevents any user or process from deleting the resource, including users with owner or contributor permissions.
- Read-Only Lock (ReadOnly): A read-only lock, also known as a “ReadOnly” lock, prevents any modification to a resource. While this lock allows users to view and interact with the resource, it blocks any updates, deletions, or configuration changes.
Implementation
- Lock
-CanNotDelete: Allows modifications
-ReadOnly: No changes whatsoever - Scope: Can assign to a Subscription, Resource Group, or Resource
- Considerations: Locks are inherited, but take effect on the control plane only (not data)
Azure Cost Management
Is a suite of tools and services that helps users monitor, analyze, optimize, and manage their cloud spending and costs effectively. It provides visibility into Azure resource usage, cost trends, and spending patterns, enabling organizations to control costs, optimize resource utilization, and maximize the value of their cloud investments.
Cost Analysis
-Centralized cost reporting and analytics for Azure (and optionally AWS)
-Allows costs to be broken down by resource tags, services, locations, and more
-Users can view detailed cost breakdowns, cost trends over time, and cost forecasts to gain insights
-Provides detailed cost download/export capabilities (once-off, or scheduled exports)
Alerts and Budgets
-Create budgets that will alert on thresholds (percentage actual/forecast)
-Also supports alerts to be triggered based on cost anomalies (massive changes on costs)
-Can leverage Azure Monitor Action Grousp to create automated responses to costs
Advisor Recommendations
-Cost Management includes Azure Advisor Cost recommendations
-Azure Advidor is a tool that’s going to look across all of you resources, it will consider things right now, trends over time, and other recommendations you should do to lower costs
-These cover recommendations like unused or underutilized resources (over time)
-Purchasing recommendations are also included (e.g. PAYG vs Reserved Instances)
Azure Policy
Is a service that allows you to create, assign, and manage policies to enforce governance, compliance, and security requirements across your Azure environment. It helps you ensure that your Azure resources meet organizational standards, regulatory requirements, and best practices by defining and enforcing rules and guidelines.
Standars: (Defence, Health, Government)
-Resources and resource groups must remain in the US West region
-All resources and resource groups, must be tagged with a cost-center id
-All VMs must be deployed with support for Confidencial Compute
-Anonymous access to blob containers must be denied
Implementation Overview
- Author: Create policies to define the standards that must be enforced
- Assign: Assign the policies with the appropriate parameters
- Enforce: Report on and remediate non-compliance
-You can check on the compliance of your subscriptions to see, are there any resources that don’t meet your policies
-Prevent certain things from happening
-Modify resources to ensure that they do comply
Configuration
- Policy Definition: Enforces standards by checking resource properties for conditions
-Properties: Information about the policy such as name, mode, and metadata
-Parameters: Allows data to be declared when assigning the policy
-Policy Rule: Defines the Condition to evaluate and the Effeect when true - Policy Assignment: Assigns or excludees a policy for a scope (MG, Sub, RG, Resource)
-An Initiative is a collection of Azure Policies that you want to go and assign
-You can choose whether it will be enforced or not - Policy Exemption: Allows resources to be exempt from evaluation (waived or mitigated)
-You can attach it to individual resources
ARM Template Overview
Are JSON files that define the infrastructure and configuration for Azure resources in a declarative manner. These templates describe the resources needed for a solution and allow you to deploy, update, or delete those resources together as a single unit.
-It helps us to go and define standardized solutions
-A parameters file is a JSON file that accompanies the template file. The parameters file allows you to provide input values for the parameters defined in the ARM template.
Benefits of using ARM Templates
-Infrastructure as Code (IaC)
-Consistency and repeatability
-Dependency management
-Versioning and history tracking
-Automated deployments
-Scalability
-Cost management
ARM Template Definition
-Parameters: Pass values at deployment time
-Variables: Set values within the template (values that you are going to repeat many times)
-Resources: Define Azure resources to deploy
-Outputs: Show information from deployment
-Functions: User-defined and built-in functions
Administration
-Deploy: Using Portal, PowerShell, or CLI
-Review: Check “Deployment” history/status
-Export/Download: Export (or retrieve original template)
-Accept Terms: Accept marketplace terms (if you are using marketplace items)
Bicep Template Overview
Bicep is a domain-specific language (DSL) and a compiler toolchain for Azure Resource Manager (ARM) templates. Bicep simplifies the creation and management of ARM templates by providing a cleaner and more concise syntax compared to JSON. Essentially,
-Bicep allows you to write ARM templates in a more human-readable and maintainable format.
Bicep Template Definition
-Parameters: Input values used at deployment time
-Variables: Reusable values within the template (values that you are going to repeat many times)
-Resources: Define Azure resources to deploy or update
-Outputs: Values to return following deployment
-Modules: Organize deployments into modules
Administration
-Deploy: Using Portal, PowerShell, or CLI
-Review: Check “Deployment” history/status
-Export/Download: Export (or save original) template
-Covert to ARM: Generate ARM template from Bicep
-Accept Terms: Accept marketplace terms (if you are using marketplace items)
Advanced Templates
Deployment Modes
-Complete Deployment: Completely modifies and removes resources to match the template definition. (Is going to exactly mirror the template)
-Incremental Deployment: Only adds or updates resources to match the template definition
Deployment Scopes
-You can perform a deployment at the Resource Group, Subscription, Management Group and Tenant level.
-You will use a command that matches the scope (e.g. az deployment sub create)
Modular Templates
Nested Templates: Additional templates that are embedded within the main template
-A ARM template with a ‘“type”:”Microsoft .Resources/deployments”’ inside
Linked Templates: Separate template files that are referenced from the main template
-Rather than embedding all of the code in the same ARM Template (Nested), we can specify a template link that refers to the file that contains all of the configuration
-For large complex infrastructure solutions
Bicep Modules: Create smaller and reusable units that can be called from bicep templates
-Similar to Linked ARM Templates
Moving Azure Resources
Move Across RG or Subscription
-Resources can move across RGs and across subscriptions
-These resources move operations do not infuence the location of resources
-Cross-subcription are only supported when the Azure AD tenant is the same
-Cross-subcription moves with dependent resources must occur together in the same RG
-Be aware Resource IDs will be changed by any move operations
Move Across Region
-Only a selection of services support moves across regions
-The move must be validated, prepared, initiated, and then finished
-The final step allows you to either commit or discard the move
- Select resources
- Validate resources
-Check dependencies - Prepare move
-Begin replication or generate template (if you don’t have any data) - Initiate move
-Create resource/copy or deploy resource - Finalize move
-Commit move or discard changes
-If so, delete source
Key Vault
Helps you safeguard cryptographic keys, secrets, and certificates used by cloud applications and services. It offers a secure and centralized location to store and manage sensitive information such as passwords, connection strings, encryption keys, and certificates, helping you protect your data and comply with regulatory requirements.
-Built for progamatic access
Data Types
-Secrets: Sensitive data that needs to be protected, such as passwords, API keys, or connection strings
-Keys: Cryptographic keys that can be used for encryption, decryption, signing and verification
-Certificates: Digital certificates that can be used for authentication and encryption purposes
Architecture
- Key Vault: Vault or Managed HSM for storing secret data (FIPS compliant)
- Data: KV data (keys, secrets, certificates) are access via REST
- Access Control: Grant Azure AD identities access using RBAC or an Access Policy
Implementation
-An Azure AD Identity is required to access the Key Vault (data/management)
-Managed Identities are recommended for apps (vs app registration + secret)
-Protect data with Soft Delete (recycle bin) and Purge Protection (time-based lock)
