Governance and Security Flashcards
(39 cards)
When designing a Azure environment, what steps need to be done first?
Plan the management and governance of the azure tenant
Define governance in azure
Establishment of policies, and continuous monitoring of their proper implementation
What are the 3 steps in defining governance
- Set policies/rules to be enforced
- Configure monitoring to enforce/account policies and implementation
- Implementation/deployment in accordance to policies
What mechanism precents accidental deletion in Azure environments?
management locks
What are the two types of management locks in Azure?
Delete and read only
Define a “delete” management lock
Ensures that no one can delete resources from your Azure subscription, by accident or on purpose
Define a “read only” management lock?
Ensures that only authorized users can read a resource, but also that they cannot modify it nor delete it
What is the benefit/purpose of using a “core resource group”?
To deploy resources that are used across several other resource groups; . For example, if I have a virtual network that is used by several services across the entire subscription, or an Azure key vault in which I store administrative credentials as secrets, then these types
of resources are created in one of my core resource
What is the organizational unit hierarchy in Azure, and in what direction do policies flow?
Management groups - > Subscription - > Resource Group - > Resource
What is the purpose/function of a management group?
Configure different management scopes that allow
us to granularly manage governance settings at a scope above the subscription; Enables customers to
create global policies and role assignments that are valid for all Azure subscriptions within an Azure tenant’s scope
What can be logically stored in a management group?
Other management groups, subscriptions, resource groups, and resources
Define the “root management group”
Each Azure AD directory is given a top-level management group; All subscriptions and management groups that are created for this Azure tenant belong to this root group
“Must knows” of root management group
- Only user accounts that have been assigned Owner or Contributor roles on the tenant root group can change their display name.
- The root group cannot be deleted or moved to another management group.
- No one is given default access to the tenant root group. Only Azure AD global administrators have the right to elevate themselves to gain access and to make changes if necessary.
What is best practice to allow admins to see all resources/subscriptions/management groups
You may want to give your security administrators read access to all resources that are created within the scope of your Azure Entra ID tenant
How would a resource/application be able to automatically deploy resources?
Give the application/resource access to all your Azure subscriptions
How can a global admin elevate access to modify the root management group?
- Sign in to the Azure portal or Azure Active Directory Admin Center as a Global administrator.
- Click Azure Active Directory and then Properties in the navigation pane.
- Under Access management for Azure resources, set the toggle switch to Yes, as
shown in the preceding screenshot.
OR
Add-AzRoleAssignment -SignInName username@example.com -RoleDefinitionName “User Access Administrator” -Scope “/”
Describe “Azure Policy”
Azure Policy allows you to create, assign, and manage
policies. Policies that you define enforce different rules for resources that you create in a policy’s scope.
How does azure policy actively monitor compliance?
Azure Policy service evaluates resources for non-compliance with assigned policies and then applies a defined action.
How do policy definitions and initiatives/actions work together to enforce polices?
Each policy definition includes a policy rule with an effect that determines the action to be taken if the conditions are satisfied.
Define a “policy definition”
Policy definitions in Azure Policy express what to evaluate and what action to take when certain conditions are met; A JSON file that describes resource compliance and what effect to take when a resource is, or becomes, non-compliant.
What effects/initiatives/actions can azure policy implement if it detects non-compliance?
- Disabled is checked first to determine whether a policy’s rule should be evaluated. It is useful when testing the effect of a new policy definition or when you want to disable only one assignment instead of all assignments of a particular policy definition.
- Append and Modify are evaluated next. Append is used to add additional fields to a requested resource during resource creation or a resource update. With an append policy, you can, for example, specify allowed IP addresses for a resource. The modifyeffect is helpful when adding tags to a resource, for example, resourceOwner or costCenter.
- Deny is then evaluated and used to deny a resource request that does not match your compliance standard. The resource request will fail after evaluation. With a deny policy, you can, for example, prevent your administrators from creating resources in Azure regions that you do not allow, or prevent them from deploying VM SKU sizes you have not approved.
- Audit and AuditIfNotExists are evaluated last and used to create a warning event in the activity log when evaluating a non-compliant resource. The resource request will not be stopped, but you will be able to be informedabout non-compliance.
- Similar to AuditIfNotExists, the DeployIfNotExists (DINE) effect will evaluate a resource and, if it is non-compliant, start a template deployment to auto-remediate the non-compliant resource. For example, if you create a storage account without requesting HTTPS access, you can use a DINE policy to enforce this setting on the storage account.
What elements does a policy definition contain?
- Mode
- Parameters
- Display name (as it is found in the Azure portal or in the CLI)
- Description (what this policy is actually doing, when to use it, and so on)
- Policy rule (the rule definition)
- Logical evaluation (what is the condition for resource compliance)
- Effect (what happens if a resource is non-compliant)
Describe the “mode” of a policy definition
The policy mode determines which resource types are evaluated by the policy. There are two modes supported:
* All: All resource groups and resource types are evaluated.
* Indexed: Only resource types that support tags and locations are evaluated.
Describe the “parameters” property of a policy definition
Helps to give more granular control of what is being evaluated and what is happing in the event of non-compliance:
* name: The name of your parameter.
* type: The parameter type can be string, array, object, boolean, integer, float, or datetime.
* metadata: The parameter’s sub-properties used by the Azure portal to display user-friendly information about the parameter. These include description, display name, strongType, and assignPermissions.
* description: An explanation of what the parameter is used for.
* display name: A friendly name for the parameter shown in the Azure portal.
* strongType: (Optional) This property is used when assigning the policy through the Azure portal.
assignPermission: (Optional) If this value is set to true, Azure Portal will create role assignments during policy assignment. This option can be useful if you want to assign permissions outside the policy’s assignment scope.
* defaultValue: (Optional) If no value is specified during policy assignment, this value is used. defaultValue is mandatory if you update an existing policy definition that is already assigned.
* allowedValues: (Optional) This property provides an array of values that the parameter will accept during policy assignment.
