Azure Policy: How to Create and Remediate Compliance

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

With the increased demand for compliance, it can be difficult to know where to start. While there are some general guidelines you can follow, knowing what exactly is required of your business and how much time you have to complete a task will help in setting realistic expectations.

The “azure policy auto remediation” is a command-line tool that allows users to automatically remediate policies in Azure. This can be done by creating and then deleting the compliance state for each policy.

Azure Policy: How to Create and Remediate Compliance

The capacity to set templates, rules, and processes is a recurring feature in today’s cloud systems. These templates then specify what may be done and ensure that what is already in place is accurate. Azure Policy, a Microsoft service, is an excellent method to do this.

Learn how Azure Policy works in this post, then explore how to build different policies and remediate actions.

How to Make an Azure Policy

The Microsoft Microsoft Azure Portal Portal, PowerShell, Azure CLI, and ARM templates are all options for creating rules.

Microsoft Microsoft Azure Portal

Starting here is a fantastic introduction to policies whether you prefer the GUI method or are investigating your alternatives. The user interface is straightforward, allowing you to quickly assess your alternatives.

  1. Within the Microsoft Microsoft Azure Portal, search for Policy.
  2. Under the Authoring section, choose Assignments.
  3. Select Assign policy.
  4. Select the subscription to apply to and, if desired, the resource group by clicking the ellipsis under Scope.
  5. Select the policy to define by clicking on the ellipsis beneath Policy definition.
  6. Use the default generated name for Assignment name or write your own to make your policy stand out.
  7. Fill in any Parameters that are required depending on the policy selected.
  8. Finally, establish a managed identity and, if required, provide its location.

Developing a PolicyDeveloping a Policy

PowerShell

Thankfully, PowerShell makes assigning an Azure policy definition to a policy assignment a breeze. The current version of Azure PowerShell must be installed, as well as the Azure Policy Insights resource provider must be registered.

PS51> Register-AzResourceProvider -ProviderNamespace ‘Microsoft.PolicyInsights’

Distribute the Policy

PS51> $resourceGroup = Get-AzResourceGroup -Name ‘<resourceGroupName>’ PS51> $definition = Get-AzPolicyDefinition | Where-Object { $_.Properties.DisplayName -eq ‘<policyName>’ } PS51> New-AzPolicyAssignment -Name ‘<assignment-name>’ -DisplayName ‘<friendlyName>’ -Scope $resourceGroup.ResourceId -PolicyDefinition $definition -listOfResourceTypesAllowed ‘<parameterValues>’

Azure CLI

If PowerShell isn’t accessible or you don’t want to use it, you can do a lot of the same things using the Azure CLI. If you can’t utilize PowerShell on all operating systems, this may be useful in cross-platform circumstances.

> az policy assignment create –name ‘<policyName>’ –display-name ‘<friendlyName>’ –scope ‘<scope>’ –policy ‘<policyDefinitionID>’

Templates for Azure Policies

Templates in Azure Resource Manager are a new approach to build and assign policies to resources. As an example, below is a beginning template for selecting a policy to apply to a resource group.

{ “$schema”: “https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#”, “contentVersion”: “1.0.0.0”, “Parameters”: { “policyAssignmentName”: { “type”: “string”, “metadata”: { “description”: “Specifies the name of the policy assignment.” } }, “rgName”:{ “type”: “string”, “defaultValue”: “[resourceGroup().name]”, “metadata”: { “description”: “Specifies the name of the resource group where you want to Distribute the Policy.” } }, “policyDefinitionID”: { “type”: “string”, “metadata”: { “description”: “Specifies the ID of the policy definition or policy set definition being assigned.” } } }, “resources”: [ { “type”: “Microsoft.Authorization/policyAssignments”, “name”: “[Parameters(‘policyAssignmentName’)]”, “apiVersion”: “2018-05-01”, “properties”: { “scope”: “[concat (subscription ( ).id, ‘/resourceGroups/’, Parameters(‘rgName’))]”,

What is Azure Policy Assignment?

Assign the policy definitions that you wish to apply to a given scope once you’ve chosen or created them. The scope simply specifies who or what the policy assignment would affect, such as a management or resource group. It’s worth noting that policy assignments are passed down to all child resources, although you may omit a sub-scope if necessary.

Azure Policies Examples

There are many policy definitions available, and choose which one to use might be difficult. So, what are some of the alternatives, and when and why would you employ them?

  • Require Tag and Value — This may be used in a variety of ways, including identifying a number of distinct resources dispersed over numerous resource groups, or for cost codes.
  • Allowed Resource Types – What if you just want certain resources to be allowed? With merely the ability to establish a storage resource, this may enforce that.
  • Pending Reboot Audits for Windows VMs – Maybe you want to know which Windows VMs need a scheduled reboot so you don’t forget about them? Use this policy to identify and maybe remediate people who are on a regular basis.
  • Audit Diagnostic Settings — If diagnostic settings are not enabled, this policy will identify non-compliant users.
  • On your virtual machines, management ports should be closed — Close the management ports on your virtual machines, which is an excellent security precaution.
  • Accounts that have been deprecated should be removed from your subscription – Locate any accounts that have been prohibited from signing in to a directory and make any required changes. You have the flexibility to build your own unique policy definitions, even though there are many here and more being added every day. You may develop strong if-then constructs to specify what you wish to apply rules to using a simple query definition schema.

How to Improve the Reusability of Azure Policies

Parameters

Defining parameters for usage in your policies is one of the most helpful techniques. You may wind up with hundreds of policies if you had to establish a separate policy for each and every modification in a policy. Parameterizing a policy is an excellent answer to this problem. This allows you to adjust the policy at the time of assignment and apply a single policy definition to a variety of use cases.

Initiatives

The next natural step is to group many definitions into a set. This enables you to attach all of those distinct definitions to a scope at once rather of having to do it separately.

Parameters of initiative

Finally, parameters may be added to initiatives and passed down to individual policies. This implies you don’t have to set parameters to each policy inside an initiative manually. This may save you a lot of time since you can design just a few initiatives that apply a variety of rules in a variety of ways based on the criteria you choose.

So what do you do when you have a policy that evaluates but finds resources out of compliance? At that point, you can launch a remediation task to fix whatever the issue might be. This can be quite powerful but also quite dangerous if setup incorrectly. Once again there are several ways to define these tasks either through the Microsoft Microsoft Azure Portal, PowerShell or through the Azure CLI.

Microsoft Microsoft Azure Portal

As before you can use the Microsoft Microsoft Azure Portal to explore the creation of a remediation task. If you find that there are no policies listed, make sure you have both deployIfNotExists policies and also those that have evaluated to non-compliant otherwise they will not show.

  1. Within the Microsoft Microsoft Azure Portal, search for Policy
  2. On the left-hand side, choose Remediation.
  3. Select a policy with non-compliant resources that is of the deployIfNotExists type.
  4. To restrict what the job applies to, filter the resources to be remediated on the New remediation task page.
  5. To begin the process, click on Remediate.

PowerShell

Using PowerShell, you can easily build a remediation job. The most important thing to keep in mind is that you must use a deployIfNotExists policy.

PS51> Start-AzPolicyRemediation -Name ‘remediationTask’ -PolicyAssignmentId ‘/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{assignmentID}’

Azure CLI

Instead of using PowerShell, you may initiate a remediation process using the Azure CLI. This is the same as the PowerShell task.

> az policy remediation create –name remediationTask –policy-assignment ‘/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/policyAssignments/{assignmentID}’

Summary

The power of Azure Rules is that you can create any number of configurable policies to help you manage your environment for any Azure subscription. Furthermore, by devoting time, effort, and thought to how you build your rules, objectives, and criteria, you may establish a well-defined and simple-to-correct arrangement.

Given that Azure Policies are available for free with any Azure Subscription, taking the effort to build what you need makes sense. Given the versatility with which these definitions and rules can be created and deployed, they can be applied to almost anything and help you keep track of your environment!

The “azure policy allowed locations” is a tool that allows for the creation of compliance policies. It also helps to remediate those policies in case they were breached.

Related Tags

  • azure policy create remediation task greyed out
  • azure policy remediation
  • azure policy best practices
  • azure policy remediation terraform
  • azure policy samples