Secure Azure Infra – 8:Implementing Azure Resource Policies

The last lab of this series about Secure your infrastructure with Azure Security Center.

Azure resource policies are used to place restrictions on what actions can be taken at a subscription or resource group level. For example, a resource policy could specify that only certain VM sizes are allowed, or that encryption is required for storage accounts. In this section of the lab, we’ll apply built-in resource policies to one of our resource groups to restrict what can and can’t be done in our environment.

1) In the Azure portal, navigate to the Contoso-PaaS resource group and then click on Policies in the menu.

2) Select Definitions and then Policy Definitions in the right hand pane.

3) Scroll down to the policy entitled ‘Allowed Resource Types’, click the ‘…’, select ‘View Definition’ and then click on ‘JSON’. This shows you the JSON policy document – this simple example takes a list of resource types and prevents the ability to create them.

Azure Resource Policy Example

Figure 26: Azure Resource Policy Example

4) Click on ‘Assignments’ in the menu and then click ‘Assign Policy’.

5) Use the following details to create the policy:

Policy: Allowed Resource Types Allowed Resource Types: Select all ‘Microsoft.Network’ resources Display Name: Allow Network ID: Allow-Network

6) Use the Azure Cloud Shell to attempt to create a virtual machine using the following commands:

New-azurermvm -resourcegroupname "contoso-paas" -name "policy-test-VM"  -imagename "UbuntuLTS"

7) Type in a username and password for the new virtual machine

8) The validation should fail with a message stating “The template deployment failed because of policy violation. Please see details for more information.” Azure Resource Policy was successfully applied and blocked the new virtual machine creation.

9) Return to the ‘Policies’ page and remove the ‘Allow-Network’ resource policy assignment.

Conclusion

Well done, you made it to the end of the lab! Hopefully this guide has given you a good grounding in Azure security concepts. There’s more we could have covered but space is limited! We hope you enjoyed running through the lab and that you learnt a few useful things from it. Don’t forget to delete your resources after you have finished!

The Next Series of Lab , I will share about Securing PaaS.

Happy New Year.  Continue Learning for Year 2019.

References

https://github.com/Araffe/azure-security-lab

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

Leave a Reply

Your email address will not be published. Required fields are marked *