Azure Security Benchmark recommends "BR-3: Monitor backups" however I don't find related policy as a part of the Azure Security Benchmark Initiative.
How do I define the policy for this recommendation?
Related
I cant install AKS in azure, because it doesnt allow me to choose a region. I have selected every possible region, but is not possible to use it. I am using a student account in europe. Can you please let me know which region to use?
KR
Policy enforcement value does not meet requirements on resource Microsoft.ContainerService/manageCluster The field location with with
the value US(westus3) is denied
PolicyEnforcement in azure you can apply configuration setting and resource creation rules at the subscription level , Resource Group and Resource level as well.
Azure Policy is an Azure service for creating, assigning, and managing policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements.
So based on above statement could say there might be policy enforcement from your Administrator or might be set a default policy from Azure Side for student account to do not create the AKS.
As for Azure Student account This benefit provides you access to a free tier of the following services:
• Azure App Service
• Azure Functions
• Azure Notification Hubs
• Azure Database for MySQL
• Application Insights
• Azure DevOps Services (formerly Visual Studio Team Services)
For more information you can refer this Document
I want to first audit (and later enforce) that user names added to a specific AD Group follow certain naming convention. Is this achievable via Azure Policy? It would be straightforward to get such report through scripting, but in our case we want to see clear audit status with Azure policies and eventually prevent them from being added in the first place with Policy deny effect.
No, I believe Azure Policy can only be used on the Azure Resource Manager scope. Azure AD objects like users and groups can't be managed using Azure Policy. So one way to think of it is that if you can deploy something with an ARM template, you can likely govern only those objects using Azure Policy.
The alternative to having nice audit reports for Azure AD stuff would be Azure AD Privileged Identity Management (PIM). It's pretty awesome but I don't think your use case around enforcing and auditing naming conventions of users is supported. Cheers!
I am trying to enable Diagnostic Settings of subscriptions using a custom policy. But, the compliance report always shows 0/0; basically it is not identifying the subscriptions under a management group. To confirm this behavior, I created a custom policy, duplicating the BuiltIn policy "Enable Azure Security Center on your subscription". It is also showing 0/0. Is there any limitation to deploy something using a DeployIfNotExists policy at subscription level?
Azure Policy is capable of deploying resources at the Subscription level. Are you sure that your scope for the Policy Assignment is set at the parent Management group of your Subscriptions?
This should be what you are looking for. There are examples in this directory for creating diagnostic settings for Activity Logs on a Subscription that point to a Storage Account, Log Analytics Workspace, or an Eventhub. Below is a link for a deployIfNotExists policy that points to a Log Analytics Workspace.
https://github.com/Azure/Community-Policy/blob/master/Policies/Monitoring/deploy-diagnostic-setting-for-activity-log-log-analytics/azurepolicy.json
(all credit for this policy to the original author)
I have attempted to connect a service principle through azure devops using powershell scripts to deploy apis and manage updates on Azure APIM (Consumption SKU) and I get authorization failures. I have checked the service principle and the permissions associated with the resource group for the apim and everything appears to be correct. I am able to do this using the Developer SKU of the Azure APIM without issue but I am wondering if this is a limitation of the Consumption SKU
Use powershell to connect service principle is related to Azure AD authentication. But you can refer to this tutorial, it shows us APIM in Consumption SKU doesn't support Azure AD integration.
Found the issue was a malformed resource group name in the url posted. Resolved that and the Azure DevOps integration worked as expected.
Team,
I have a complete running cloud service application upgraded to latest Azure SDK version and unfortunately need to dump this into a CSP subscription. But I came to know that Azure CSP supports only the Azure Resource Manager model, the cloud service is a classic deployment model. So we cannot create a cloud service within a CSP subscription.
Is there any other alternative within Azure CSP to using "cloud service" so that we can migrate with minimal changes. Please help
Firstly, here are some good reads on Microsoft Docs to help comparing the options available and make decisions based on your requirements:
(I mean requirements like Hosting features, Service Limits, 3rd party software installation and RDP access is required or not, Network isolation to a separate VNET is required or not, Cost considerations, minimum SLA, Regions available, instant deployment and auto-scaling, state management etc.):
Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison
Decision tree for Azure compute services (This one covers a big spectrum.. simple virtual machines, Batch, Functions, Containers, AKS, ServiceFabric)
Criteria for choosing an Azure Compute Service
Also know that when looking for alternatives, it's not uncommon to make use of multiple compute or other Azure service options by breaking up an older solution into parts at the time of such migration (for e.g. A serverless compute option like Azure Function + Service Fabric + something else if needed).
Generally speaking (and without knowing much about your application from your question currently), Azure App Service and Service Fabric could be considerations IMHO when migrating from an existing Cloud Service, but this is exactly where detailed requirements help you in decision making.
On a side note, here is a list of Azure Services available in CSP - Available Azure services in Azure CSP