Azure Azure Policy Configuration Security

Azure Policy – Audit and Deploy CanNotDelete Lock on Resource Group Based on Tags

Posted on Author stefanroth Comment(1)

image

If you move your workloads to production or even preproduction it is highly recommended to protect them not only against data loss but also from accidential deletion. One feature in Azure which can help are Resource Locks. Depending how you configure the lock, you cannot delete the resource, but still read and modify (CanNotDelete lock) or just lock the resource so, that everybody just can read the resource (ReadOnly lock). In my opinion to follow good governance, it is a feature everyone should use. Speaking about Azure governance – one thing that comes to mind is the Azure Policy service to enforce governance in Azure. Azure Policy can be used e.g. to audit which resource groups do not have a Resource Lock in place. A former fellow MVP Adin Ermie has written a great post on auditing resource groups if a Resource Lock has been configured or not based on tags. I think this is a nice way to check for compliance, but I was missing a remediation task. This task should remediate the non-compliant resource and therefore apply a Resource Lock on the resources.

I have uploaded the policy to my GitHub repository, where you find detailed instructions, how to provision the policy. Once you deployed the policy, you can immediately start the compliance and remediation process.

First I will deploy the policy from the repo, assign it to my subscription and configure the parameters, which will configure the tags to look for. Meaning, the policy checks only for resource groups, that have a tag name “env” and a value of “prod”…

image

…in the “Remediation” section, the policy will create a managed identity in the background and assigns the Owner permission on the subscription level. Owner permission is required to successfully apply the Resource Lock…

image

…finally review and create the assignment…

image

In the next step, I create two resource groups, one with no tags and one with the tag “env” and the value “prod”…

image

…after a while, you will see the non-compliant resource group popping up…

image

…under “Remediation tasks”, the evaluation process will start automatically and complete in the end…

image

…if we check the resource group we will see, that the Resource Lock has been applied…

image

…but only for the resource group with the appropriate tags.

You can easily start the remediation task manually if you already have resource groups in place which you need to re-evaluate.

Find the policy here and I hope this helps you securing your infrastructure.

stefanroth
http://www.stefanroth.net

Related Articles
AEM Configuration Troubleshooting

SCOM – Agentless Exception Monitoring (AEM) – FAQ

Posted on Author stefanroth

Agentless Exception Monitoring (AEM) is an older technology which has been around since a few years now. First it started off as Desktop Error Monitoring as a part of the MDOP kit and later on it has been implemented into SCOM and since then it exists as a feature until SCOM 2012 SP1. This post […]
Authoring Configuration Management Pack Script

SCOM – Populate Attributes Through PowerShell

Posted on Author stefanroth

This time I would like to show a cool idea about modifying class instance properties. In SCOM we usually use registry or WMI discoveries to populate attributes. These attributes are used for dynamic groups or maybe just to append some more information to the class instance. Imagine you are using a registry discovery for populating […]
Configuration Management Pack System Center Troubleshooting

VMM 2012 R2 – Remove Corrupted SCOM Connector

Posted on Author stefanroth

Yet another interesting SCOM problem. Today I was at a customer for fixing some SCOM issues, respectively to reinstall SCOM. The problem was, that there was a SCOM incl. VMM integration in place. Because of many issues SCOM was removed without properly removing the VMM integration. So if you tried to remove the SCOM connector […]

One Reply to “Azure Policy – Audit and Deploy CanNotDelete Lock on Resource Group Based on Tags

Leave a Reply to Niels Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.