I'm currently trying to write a custom Azure Policy definition that enforces diagnostic settings rules to exist for the Azure Active Directory (categories AuditLogs and SignInLogs). I've written policies for some other resources, but this one is given me trouble. I cannot figure out what to write as "type" to make the policy match for the AAD settings. I've tried Microsoft.Resources/subscriptions with fields Microsoft.Insights/diagnosticSettings/logs[*] (these fields are similar for all other resources), but this type is for the Activity Logs. I've also tried Microsoft.AADIAM, Microsoft.AADIAM/diagnosticSettings as found via the Aliases API, as well as Microsoft.AADIAM/tenants and Microsoft.AAD/domainServices but my policy keeps ending up as compliant for 0 out of 0 resources (i.e., it does not consider any resource to match).
Any suggestions?
Related
Azure Policy can be used to define conventions that, when Policy Enforcement is enabled, will prevent non-compliant resources from being created.
In scenarios where non-compliant resources need to be exempted this leads to having to coordinate several steps:
Disable policy Enforcement
Create the non-compliant resource
Add the exemption for the non-compliant resource to the Policy Assignment
Re-enable Enforcement
Review if any unexpected changes occurred during the period of time Enforcement was disabled -- and how to bring things back to compliance
While the above is acceptable, I'm curious if there is an ability to simultaneously create the non-compliant resource and the exemption without the need to coordinate other steps and create the chance for other issues to be introduced.
Is there a way to create a resource and an policy assignment exemption for it simultaneously? Is this potentially in a preview or private preview feature?
From my experience a resource needs to exist before it can be included in an exemption. However, these docs confirm that exemptions do work on the hierarchy in Azure. This means that you could in steps create a resourcegroup to hold your non-compliant resources, then create the exemption with the scope of that resourcegroup and then create the non-compliant resources.
It sounds like you are looking for an automated solution.
I have not done this or seen anyone else do this - still unsure of your use case. Why deploy a resource that needs to be exempted automatically?
Anyway, you might have a chance of achieving this with:
Blueprints: https://learn.microsoft.com/en-us/azure/governance/blueprints/overview
Manually executing a PowerShell script: https://learn.microsoft.com/en-us/cli/azure/policy/exemption?view=azure-cli-latest#az-policy-exemption-create (or API).
IaC adding this to your ARM template https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions?pivots=deployment-language-arm-template
Policy using Modify or DeployIfNotExists using https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions?pivots=deployment-language-arm-template
I want to create an Azure Policy for storage accounts. During the creation of a storage account, it will count the number of storage accounts in the subscription which has a specific tag (like env:dev). If the number of this count exceeds 10, It should deny the creation of that storage account.
How I can count the number of storage account which has certain tag inside an Azure Policy declaration?
That is not something you can do using Azure Policy.
Even though the approach seems valid, the count operator is meant to be used with [*] aliases - see official documentation. One could think of scanning Microsoft.Subscription aliases, but running the command az provider show --namespace Microsoft.Subscription --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name", what you get as an output is so far not extensive :
[
"Microsoft.Subscription/SubscriptionDefinitions/subscriptionId",
"Microsoft.Subscription/SubscriptionDefinitions/subscriptionDisplayName",
"Microsoft.Subscription/SubscriptionDefinitions/offerType",
"Microsoft.Subscription/SubscriptionDefinitions/etag",
"Microsoft.Subscription/aliases/subscriptionId"
]
Also, the way the policy engine works wouldn't allow you to count the number of instances meeting a particular rule : each ARM component is scanned individually and compared to the rules defined in the policy. You cannot see "all Storage Accounts in a given scope" - each one is scanned without the whole picture being seen at any point. That is why I started with looking if the Subscription object had something like a Resources [*] alias.
I am creating an Azure policy to enforce some naming conventions. I want to enforce this policy only for any new resources being created. I am planning to use Deny as an Effect.
Will the Deny effect block the existing resources being re-provisioned?
Is there any way to implement this without impacting the re-provisioning of old resources? As per the document here, it says updating will be prohibited.
As mentioned in the link that you provided the policy is applied "When creating or updating a matched resource".
However, you can enforce a policy per resource group.
So, if you have the possiblity to have all the existing resources in one resource group and all the new resources in a second resource group. Then you can get around it by applying the policy only to the second resource group.
We manage an Azure subscription operated by several countries. Each of them is quite independant about they can do (create/edit/remove resources). A guide of good practices has been sent to them, but we (security team) would like to ensure a set of NSG is systematically applied for every new subnet/vnet created.
Giving a look to Azure Triggers, I am not sure that subnet creation belongs to the auditable events. I also was told to give a look to Azure policy, but once again I am not sure this will match our expectations which are : For every new vnet/subnet, automatically apply a set of predefined NSG.
Do you have any idea about a solution for our need ?
I have done work like this in the past (not this exact issue) and the way I solved it was with an Azure Function that walked the subscription and looked for these kinds of issues. You could have the code run as a Managed Identity with Reader rights on the subscription to report issues, or as a Contributor to update the setting. Here's some code that shows how you could do this with PowerShell https://github.com/Azure/azure-policy/tree/master/samples/Network/enforce-nsg-on-subnet
You could consider using a Policy that has a DeployIfNotExists Action, to deploy an ARM template that contains all the data for the NSG. https://learn.microsoft.com/en-us/azure/governance/policy/samples/pattern-deploy-resources
You can get the ARM template by creating the NSG and getting the template:
GettingNSGTemplate
Note also that creating a subnet is audited, you can see it in the Activity Log for the VNet. See the screen shot.
AddingASubnet
In the Azure CLI resource manager, we can list providers and their operations.
azure provider list
azure provider operations show Microsoft.Web/sites/*
How do we run one of the listed operations. For instance, how would we run this:
Operation : Microsoft.Web/sites/sourcecontrols/web/Read
OperationName : Get Web App's source control configuration
ProviderNamespace : Microsoft Web Apps
ResourceName : Web App Source Control
Description : Get Web App's source control configuration settings.
The purpose of azure provider operations show is to display operations that are supported by the various providers so that you can use them to create custom Role Based Access Control (RBAC) roles. They are not actual commands or endpoints that can be executed.
To create a custom RBAC role, you first create a JSON file describing the role and operations allowed by the role, then pass the file to azure role create.
More details here.. https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-manage-access-azure-cli/#create-a-custom-role