Hardening (by default) your Azure environment with Azure Policy

To make the deployment process of new Azure VM resources more secure, it is necessary to check if Azure has the possibility to limit the opening of ports on new resources to a predetermined set.

Objectives

  • Explore Azure capabilities to limit users action on infrastructure by policy
  • Alerting Azure admins if any of the blocked port is used

Next activities

  • Create a basic inventory of Azure infrastructure to define the activity scope
  • Create cards for these activities:
  • Review identities on Azure
  • Create an operational guide to create the policies that will block actions

Analysis

Azure Policy is one of the key elements of Azure governance, its operation as follow: once the request is validated (e.g. creation of a virtual machine) the next thing that is being checked are permissions so azure will check whether the user that submitted the request to create this specific azure resource has all the permissions required to create the service and if it does it creates the service with the properties that we specified.

But there’s one more thing that Azure does before creating that service which is checking for policies. Azure Policy allows you to check for azure resource properties (e.g. deployment location) and then make decisions based on the values of those properties.

This feature helps create policy definitions in order to match internal standards and once this policy definition is created and then assigned to an azure scope it will be active and will validate all of the deployments that will happen within this specific scope. In case our policy definition is not respected this will fail the deployment and the service would not be created. What is important to notice is that policies do not check for user permissions: they already assume that user has a right to create azure resources because this was checked in a previous step, with azure policy we check for resource properties, focusing on the definition of resources we can make sure that our resources are compliant with our internal standards.

The Azure Policy panel gives a high-level overview of all of the policies that are currently assigned across all of the other subscriptions and how many resources within my azure subscriptions are compliant or not compliant with my policies.

Note that there are two types of policies: a policy is a singular check and then a singular effect that you want to apply (e.g. location), grouping multiple policies are called initiatives, so initiatives allow you to bundle multiple policies and then assign them as a single combined bundle.

When creating policies there is a tab called “remediation”, by default azure policies are only applied to the newly created resources or the ones that are being currently modified. If there are already existing resources the remediation task will audit and apply your policies against those resources that already exist on Azure environment.

Azure Policy is designed to help with resource governance, resource security compliance and even cost management. For example, there is a built-in policy that allows you to inherit resource tags from a resource group or azure subscriptions in order to improve azure resources governance.

Azure Monitor can check Azure Policy status and activity and alert the user in case of non-compliant resources.

Conclusions

Azure Policy and Azure Monitor have all the features to respond to our need to block specific activities on the Azure environment and alert admin users if there are any non-compliant resources.

References